QPID-4947: C++ Broker ACL restricts hosts from which users may connect.

This commit adds:
* Acl rule file "create connection host=hostname" support for allowing and denying connections.
* AclHost class to represent a host specified in the rule file.
* Global and user-specific lists of AclHost rules. Created by AclReader and consumed by AclConnectionCounter.
* Address range checks and other giblets in SocketAddress:
** asString support to hide IPv6 decoration and service (port) details.
** binary comparison of network addresses.
** new firstAddress function to complement existing nextAddress. Socket addrinfo for AclHost objects is computed once only for lifetime of Acl file load.
** Posix and Windows implementations are identical.
* New unit test for address comparisons. Testing a live broker is great but forcing connections to be from some arbitrary IPv4 or IPv6 address is hard. So there's a unit test for that.

Further discussion about this feature is in https://reviews.apache.org/r/23322

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1610874 13f79535-47bb-0310-9956-ffa450edef68

3 files changed, 132 insertions, 9 deletions

diff --git a/qpid/cpp/src/tests/Acl.cpp b/qpid/cpp/src/tests/Acl.cpp
index d5180a11a8..75a52c8ca1 100644
--- a/qpid/cpp/src/tests/Acl.cpp
+++ b/qpid/cpp/src/tests/Acl.cpp
@@ -37,13 +37,14 @@ QPID_AUTO_TEST_SUITE(AclTestSuite)
     BOOST_CHECK_EQUAL(AclHelper::getObjectType((s)),(e))
 
 QPID_AUTO_TEST_CASE(TestLexerObjectEnums) {
-    BOOST_CHECK_EQUAL(OBJECTSIZE, 6);
-    OBJ_ENUMS(OBJ_QUEUE,    "queue");
-    OBJ_ENUMS(OBJ_EXCHANGE, "exchange");
-    OBJ_ENUMS(OBJ_BROKER,   "broker");
-    OBJ_ENUMS(OBJ_LINK,     "link");
-    OBJ_ENUMS(OBJ_METHOD,   "method");
-    OBJ_ENUMS(OBJ_QUERY,    "query");
+    BOOST_CHECK_EQUAL(OBJECTSIZE, 7);
+    OBJ_ENUMS(OBJ_QUEUE,      "queue");
+    OBJ_ENUMS(OBJ_EXCHANGE,   "exchange");
+    OBJ_ENUMS(OBJ_BROKER,     "broker");
+    OBJ_ENUMS(OBJ_LINK,       "link");
+    OBJ_ENUMS(OBJ_METHOD,     "method");
+    OBJ_ENUMS(OBJ_QUERY,      "query");
+    OBJ_ENUMS(OBJ_CONNECTION, "connection");
 }
 
 #define ACT_ENUMS(e, s) \
@@ -71,7 +72,7 @@ QPID_AUTO_TEST_CASE(TestLexerActionEnums) {
     BOOST_CHECK_EQUAL(AclHelper::getProperty((s)),(e))
 
 QPID_AUTO_TEST_CASE(TestLexerPropertyEnums) {
-    BOOST_CHECK_EQUAL(PROPERTYSIZE, 20);
+    BOOST_CHECK_EQUAL(PROPERTYSIZE, 21);
     PROP_ENUMS(PROP_NAME,           "name");
     PROP_ENUMS(PROP_DURABLE,        "durable");
     PROP_ENUMS(PROP_OWNER,          "owner");
@@ -86,6 +87,7 @@ QPID_AUTO_TEST_CASE(TestLexerPropertyEnums) {
     PROP_ENUMS(PROP_SCHEMACLASS,    "schemaclass");
     PROP_ENUMS(PROP_POLICYTYPE,     "policytype");
     PROP_ENUMS(PROP_PAGING,         "paging");
+    PROP_ENUMS(PROP_HOST,           "host");
     PROP_ENUMS(PROP_MAXPAGES,       "maxpages");
     PROP_ENUMS(PROP_MAXPAGEFACTOR,  "maxpagefactor");
     PROP_ENUMS(PROP_MAXQUEUESIZE,   "maxqueuesize");
@@ -100,7 +102,7 @@ QPID_AUTO_TEST_CASE(TestLexerPropertyEnums) {
     BOOST_CHECK_EQUAL(AclHelper::getSpecProperty((s)),(e))
 
 QPID_AUTO_TEST_CASE(TestLexerSpecPropertyEnums) {
-    BOOST_CHECK_EQUAL(SPECPROPSIZE, 26);
+    BOOST_CHECK_EQUAL(SPECPROPSIZE, 27);
     SPECPROP_ENUMS(SPECPROP_NAME,          "name");
     SPECPROP_ENUMS(SPECPROP_DURABLE,       "durable");
     SPECPROP_ENUMS(SPECPROP_OWNER,         "owner");
@@ -115,6 +117,7 @@ QPID_AUTO_TEST_CASE(TestLexerSpecPropertyEnums) {
     SPECPROP_ENUMS(SPECPROP_SCHEMACLASS,   "schemaclass");
     SPECPROP_ENUMS(SPECPROP_POLICYTYPE,    "policytype");
     SPECPROP_ENUMS(SPECPROP_PAGING,        "paging");
+    SPECPROP_ENUMS(SPECPROP_HOST,          "host");
     SPECPROP_ENUMS(SPECPROP_MAXQUEUESIZELOWERLIMIT,  "queuemaxsizelowerlimit");
     SPECPROP_ENUMS(SPECPROP_MAXQUEUESIZEUPPERLIMIT,  "queuemaxsizeupperlimit");
     SPECPROP_ENUMS(SPECPROP_MAXQUEUECOUNTLOWERLIMIT, "queuemaxcountlowerlimit");
diff --git a/qpid/cpp/src/tests/AclHost.cpp b/qpid/cpp/src/tests/AclHost.cpp
new file mode 100644
index 0000000000..068b1cae84
--- /dev/null
+++ b/qpid/cpp/src/tests/AclHost.cpp
@@ -0,0 +1,119 @@
+/*
+ *
+ * Copyright (c) 2014 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+
+#include "unit_test.h"
+#include "test_tools.h"
+#include "qpid/AclHost.h"
+#include <boost/assign.hpp>
+
+using namespace std;
+using namespace qpid;
+using namespace boost::assign;
+
+namespace qpid {
+namespace tests {
+
+QPID_AUTO_TEST_SUITE(AclHostTestSuite)
+
+#define ACLURL_CHECK_INVALID(STR) BOOST_CHECK_THROW(AclHost(STR), AclHost::Invalid)
+
+QPID_AUTO_TEST_CASE(TestParseTcpIPv4) {
+  BOOST_CHECK_EQUAL(AclHost("1.1.1.1").str(),         "(1.1.1.1,1.1.1.1)");
+  BOOST_CHECK_EQUAL(AclHost("1.1.1.1,2.2.2.2").str(), "(1.1.1.1,2.2.2.2)");
+}
+
+QPID_AUTO_TEST_CASE(TestParseTcpIPv6) {
+  BOOST_CHECK_EQUAL(AclHost("[::1]").str(),         "([::1],[::1])");
+  BOOST_CHECK_EQUAL(AclHost("[::1],::5").str(),     "([::1],[::5])");
+}
+
+QPID_AUTO_TEST_CASE(TestParseAll) {
+  BOOST_CHECK_EQUAL(AclHost("").str(), "(all)");
+}
+
+QPID_AUTO_TEST_CASE(TestInvalidMixedIpFamilies) {
+  ACLURL_CHECK_INVALID("1.1.1.1,[::1]");
+  ACLURL_CHECK_INVALID("[::1],1.1.1.1");
+}
+
+QPID_AUTO_TEST_CASE(TestMalformedIPv4) {
+  ACLURL_CHECK_INVALID("1.1.1.1.1");
+  ACLURL_CHECK_INVALID("1.1.1.777");
+  ACLURL_CHECK_INVALID("1.1.1.1abcd");
+  ACLURL_CHECK_INVALID("1.1.1.*");
+}
+
+QPID_AUTO_TEST_CASE(TestRangeWithInvertedSizeOrder) {
+  ACLURL_CHECK_INVALID("1.1.1.100,1.1.1.1");
+  ACLURL_CHECK_INVALID("[FF::1],[::1]");
+}
+
+QPID_AUTO_TEST_CASE(TestSingleHostResolvesMultipleAddresses) {
+  AclHost XX("localhost");
+}
+
+QPID_AUTO_TEST_CASE(TestMatchSingleAddresses) {
+    AclHost host1("1.1.1.1");
+    BOOST_CHECK(host1.match("1.1.1.1") == true);
+    BOOST_CHECK(host1.match("1.2.1.1") == false);
+
+    AclHost host2("FF::1");
+    BOOST_CHECK(host2.match("00FF:0000::1") == true);
+}
+
+QPID_AUTO_TEST_CASE(TestMatchMultipleAddresses) {
+    AclHost host1("localhost");
+    BOOST_CHECK(host1.match("127.0.0.1") == true);
+    BOOST_CHECK(host1.match("::1")       == true);
+    BOOST_CHECK(host1.match("128.1.1.1") == false);
+    BOOST_CHECK(host1.match("::abcd")    == false);
+}
+
+QPID_AUTO_TEST_CASE(TestMatchIPv4Range) {
+    AclHost host1("192.168.0.0,192.168.255.255");
+    BOOST_CHECK(host1.match("128.1.1.1")       == false);
+    BOOST_CHECK(host1.match("192.167.255.255") == false);
+    BOOST_CHECK(host1.match("192.168.0.0")     == true);
+    BOOST_CHECK(host1.match("192.168.0.1")     == true);
+    BOOST_CHECK(host1.match("192.168.1.0")     == true);
+    BOOST_CHECK(host1.match("192.168.255.254") == true);
+    BOOST_CHECK(host1.match("192.168.255.255") == true);
+    BOOST_CHECK(host1.match("192.169.0.0")     == false);
+    BOOST_CHECK(host1.match("::1")             == false);
+}
+
+QPID_AUTO_TEST_CASE(TestMatchIPv6Range) {
+    AclHost host1("::10,::1:0");
+    BOOST_CHECK(host1.match("::1")     == false);
+    BOOST_CHECK(host1.match("::f")     == false);
+    BOOST_CHECK(host1.match("::10")    == true);
+    BOOST_CHECK(host1.match("::11")    == true);
+    BOOST_CHECK(host1.match("::ffff")  == true);
+    BOOST_CHECK(host1.match("::1:0")   == true);
+    BOOST_CHECK(host1.match("::1:1")   == false);
+    BOOST_CHECK(host1.match("192.169.0.0")     == false);
+    AclHost host2("[fc00::],[fc00::ff]");
+    BOOST_CHECK(host2.match("fc00::")     == true);
+    BOOST_CHECK(host2.match("fc00::1")    == true);
+    BOOST_CHECK(host2.match("fc00::ff")   == true);
+    BOOST_CHECK(host2.match("fc00::100")  == false);
+}
+QPID_AUTO_TEST_SUITE_END()
+
+}} // namespace qpid::tests
diff --git a/qpid/cpp/src/tests/CMakeLists.txt b/qpid/cpp/src/tests/CMakeLists.txt
index b556464db8..b314b966f5 100644
--- a/qpid/cpp/src/tests/CMakeLists.txt
+++ b/qpid/cpp/src/tests/CMakeLists.txt
@@ -167,6 +167,7 @@ set (qpid_test_boost_libs
 set(all_unit_tests
     AccumulatedAckTest
     Acl
+    AclHost
     Array
     AsyncCompletion
     AtomicValue