SASLizing Interbroker Links

-------------------------------------------------------------

1. Brokers already knew how to handle the server side of SASLized
   links, but not the client side.  So we promoted the client-side
   SASL code from the client library to the common library so that
   the broker could also use it.  This affected SaslFactory.{h,cpp}
   and Sasl.h
   TODO -- can the server-side and client-side code be unified here?

2. Some of the SASL verbs in broker/ConnectionHandler.cpp are
   expanded: start, secure, tune.

3. broker/SecureConnection is altered to get the client-broker and
   the server-broker to agree on when the security layer should be
   inserted.

4. the python tool qpid-route is modified so that, in the "route add"
   command, you can specify the security mechanism for SASL to use.
   TODO -- should we also pass in {min,max}SSF ?

5. Changes in broker/LinkRegistry to allow the information input by
   qpid-route to be passed up to where it is needed.

6. A bash script test run by "make check" that creates a SASLized
   federation link and sends some messages down it.
   TODO - write a python unit test instead of a bash script.  I
          think I uncovered a bug in the python code when I tried.

7. NOTE - testing for this feature does not work with versions of
   SASL earlier than 2.1.22, becuase I can't tell SASL to use a
   SASL database file in a nonstandard location.  The test is
   disabled for earlier versions.




git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1024541 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 96 insertions, 8 deletions

diff --git a/cpp/src/qpid/broker/ConnectionHandler.cpp b/cpp/src/qpid/broker/ConnectionHandler.cpp
index c349bc7ac7..c812374d38 100644
--- a/cpp/src/qpid/broker/ConnectionHandler.cpp
+++ b/cpp/src/qpid/broker/ConnectionHandler.cpp
@@ -20,6 +20,7 @@
  *
  */
 
+#include "qpid/SaslFactory.h"
 #include "qpid/broker/ConnectionHandler.h"
 #include "qpid/broker/Connection.h"
 #include "qpid/broker/SecureConnection.h"
@@ -49,6 +50,7 @@ const std::string CLIENT_PROCESS_NAME("qpid.client_process");
 const std::string CLIENT_PID("qpid.client_pid");
 const std::string CLIENT_PPID("qpid.client_ppid");
 const int SESSION_FLOW_CONTROL_VER = 1;
+const std::string SPACE(" ");
 }
 
 void ConnectionHandler::close(connection::CloseCode code, const string& text)
@@ -106,7 +108,10 @@ ConnectionHandler::Handler::Handler(Connection& c, bool isClient, bool isShadow)
         boost::shared_ptr<FieldValue> l(new Str16Value(en_US));
         locales.add(l);
         proxy.start(properties, mechanisms, locales);
+        
     }
+
+    maxFrameSize = (64 * 1024) - 1;
 }
 
 
@@ -230,33 +235,105 @@ void ConnectionHandler::Handler::heartbeat(){
 }
 
 void ConnectionHandler::Handler::start(const FieldTable& serverProperties,
-                                       const framing::Array& /*mechanisms*/,
+                                       const framing::Array& supportedMechanisms,
                                        const framing::Array& /*locales*/)
 {
-    string mechanism = connection.getAuthMechanism();
+    string requestedMechanism = connection.getAuthMechanism();
     string response  = connection.getAuthCredentials();
 
+    std::string username = connection.getUsername();
+    std::string password = connection.getPassword();
+    std::string host     = connection.getHost();
+    std::string service("qpidd");
+
+    sasl = SaslFactory::getInstance().create( username,
+                                              password,
+                                              service,
+                                              host,
+                                              0,   // TODO -- mgoulish Fri Sep 24 06:41:26 EDT 2010
+                                              256  /* TODO -- mgoulish*/ );
+    std::string supportedMechanismsList;
+    bool requestedMechanismIsSupported = false;
+    Array::const_iterator i;
+
+    /*
+      If no specific mechanism has been requested, just make
+      a list of all of them, and assert that the one the caller
+      requested is there.  ( If *any* are supported! )
+    */
+    if ( requestedMechanism.empty() ) {
+        for ( i = supportedMechanisms.begin(); i != supportedMechanisms.end(); ++i) {
+            if (i != supportedMechanisms.begin())
+                supportedMechanismsList += SPACE;
+            supportedMechanismsList += (*i)->get<std::string>();
+            requestedMechanismIsSupported = true;
+        }
+    }
+    else {
+        requestedMechanismIsSupported = false;
+        /*
+          The caller has requested a mechanism.  If it's available,
+          make sure it ends up at the head of the list.
+        */
+        for ( i = supportedMechanisms.begin(); i != supportedMechanisms.end(); ++i) {
+            string currentMechanism = (*i)->get<std::string>();
+
+            if ( requestedMechanism == currentMechanism ) {
+                requestedMechanismIsSupported = true;
+                supportedMechanismsList = currentMechanism + SPACE + supportedMechanismsList;
+            } else {
+                if (i != supportedMechanisms.begin())
+                    supportedMechanismsList += SPACE;
+                supportedMechanismsList += currentMechanism;
+            }
+        }
+    }
+
     connection.setFederationPeerTag(serverProperties.getAsString(QPID_FED_TAG));
 
     FieldTable ft;
     ft.setInt(QPID_FED_LINK,1);
     ft.setString(QPID_FED_TAG, connection.getBroker().getFederationTag());
-    proxy.startOk(ft, mechanism, response, en_US);
+
+    if (sasl.get()) {
+        string response =
+            sasl->start ( requestedMechanism.empty()
+                              ? supportedMechanismsList
+                              : requestedMechanism,
+                          getSecuritySettings 
+                              ? getSecuritySettings()
+                              : 0
+                        );
+        proxy.startOk ( ft, sasl->getMechanism(), response, en_US );
+    }
+    else {
+        string response = ((char)0) + username + ((char)0) + password;
+        proxy.startOk ( ft, requestedMechanism, response, en_US );
+    }
+
 }
 
-void ConnectionHandler::Handler::secure(const string& /*challenge*/)
+void ConnectionHandler::Handler::secure(const string& challenge )
 {
-    proxy.secureOk("");
+    if (sasl.get()) {
+        string response = sasl->step(challenge);
+        proxy.secureOk(response);
+    }
+    else {
+        proxy.secureOk("");
+    }
 }
 
 void ConnectionHandler::Handler::tune(uint16_t channelMax,
-                                      uint16_t frameMax,
+                                      uint16_t maxFrameSizeProposed,
                                       uint16_t /*heartbeatMin*/,
                                       uint16_t heartbeatMax)
 {
-    connection.setFrameMax(frameMax);
+    maxFrameSize = std::min(maxFrameSize, maxFrameSizeProposed);
+    connection.setFrameMax(maxFrameSize);
+
     connection.setHeartbeat(heartbeatMax);
-    proxy.tuneOk(channelMax, frameMax, heartbeatMax);
+    proxy.tuneOk(channelMax, maxFrameSize, heartbeatMax);
     proxy.open("/", Array(), true);
 }
 
@@ -266,6 +343,17 @@ void ConnectionHandler::Handler::openOk(const framing::Array& knownHosts)
         Url url((*i)->get<std::string>());
         connection.getKnownHosts().push_back(url);
     }
+
+    if (sasl.get()) {
+        std::auto_ptr<qpid::sys::SecurityLayer> securityLayer = sasl->getSecurityLayer(maxFrameSize);
+
+        if ( securityLayer.get() ) {
+          secured->activateSecurityLayer(securityLayer, true);
+        }
+
+        saslUserId = sasl->getUserId();
+    }
+
     isOpen = true;
 }