This is for QPID-1297.

This commit adds ACL checks for creation and deletion of federation links. The AclModule.h was modified to have a defaut value for params in the authorize method. git-svn-id: https://svn.apache.org/repos/asf/incubator/qpid/trunk@700525 13f79535-47bb-0310-9956-ffa450edef68
author: Rajith Muditha Attapattu <rajith@apache.org> 2008-09-30 16:50:02 +0000
committer: Rajith Muditha Attapattu <rajith@apache.org> 2008-09-30 16:50:02 +0000
commit: b114ea977d82a8dce318c084b9b64253e26f109f (patch)
tree: 43fae24dc3c5244fd63cdc878298cfebc0b2c259 /qpid/cpp/src
parent: aa5bbe424e19fb9640bac46adecb57fb30b23337 (diff)
download: qpid-python-b114ea977d82a8dce318c084b9b64253e26f109f.tar.gz
5 files changed, 35 insertions, 15 deletions
diff --git a/qpid/cpp/src/qpid/broker/AclModule.h b/qpid/cpp/src/qpid/broker/AclModule.h
index 851e43c3f4..942c74ada7 100644
--- a/qpid/cpp/src/qpid/broker/AclModule.h
+++ b/qpid/cpp/src/qpid/broker/AclModule.h
@@ -54,7 +54,7 @@ public:
    virtual bool doTransferAcl()=0;
    
    virtual bool authorise(const std::string& id, const acl::Action& action, const acl::ObjectType& objType, const std::string& name, 
-       std::map<acl::Property, std::string>* params)=0;
+       std::map<acl::Property, std::string>* params=0)=0;
    virtual bool authorise(const std::string& id, const acl::Action& action, const acl::ObjectType& objType, const std::string& ExchangeName, 
        const std::string& RoutingKey)=0;
    // create specilied authorise methods for cases that need faster matching as needed.
diff --git a/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp b/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp
index 7281fb53c6..fae4992270 100644
--- a/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp
+++ b/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp
@@ -28,6 +28,7 @@
 #include "qpid/framing/ServerInvoker.h"
 #include "qpid/framing/enum.h"
 #include "qpid/log/Statement.h"
+#include "AclModule.h"
 
 using namespace qpid;
 using namespace qpid::broker;
@@ -72,9 +73,12 @@ ConnectionHandler::ConnectionHandler(Connection& connection, bool isClient)  : h
 
 ConnectionHandler::Handler::Handler(Connection& c, bool isClient) :
     client(c.getOutput()), server(c.getOutput()),
-    connection(c), serverMode(!isClient)
+    connection(c), serverMode(!isClient), acl(0)
 {
     if (serverMode) {
+
+    	acl =  connection.getBroker().getAcl();
+
         FieldTable properties;
         Array mechanisms(0x95);
 
@@ -100,7 +104,11 @@ void ConnectionHandler::Handler::startOk(const framing::FieldTable& clientProper
     authenticator->start(mechanism, response);
     connection.setFederationLink(clientProperties.get(QPID_FED_LINK));
     if (connection.isFederationLink()){
-		QPID_LOG(info, "Connection is a federation link");
+    	if (acl && !acl->authorise(connection.getUserId(),acl::CREATE,acl::LINK,"")){
+             client.close(framing::connection::CLOSE_CODE_CONNECTION_FORCED,"ACL denied creating a federation link");
+    	      return;
+	}
+	QPID_LOG(info, "Connection is a federation link");
     }
 }
 
diff --git a/qpid/cpp/src/qpid/broker/ConnectionHandler.h b/qpid/cpp/src/qpid/broker/ConnectionHandler.h
index a04936a943..9d8a091f21 100644
--- a/qpid/cpp/src/qpid/broker/ConnectionHandler.h
+++ b/qpid/cpp/src/qpid/broker/ConnectionHandler.h
@@ -33,6 +33,7 @@
 #include "qpid/framing/ProtocolInitiation.h"
 #include "qpid/framing/ProtocolVersion.h"
 #include "qpid/Exception.h"
+#include "AclModule.h"
 
 namespace qpid {
 namespace broker {
@@ -49,35 +50,36 @@ class ConnectionHandler : public framing::FrameHandler
         Connection& connection;
         bool serverMode;
         std::auto_ptr<SaslAuthenticator> authenticator;
-    
+        AclModule* acl;
+
         Handler(Connection& connection, bool isClient);
         ~Handler();
         void startOk(const qpid::framing::FieldTable& clientProperties,
                      const std::string& mechanism, const std::string& response,
-                     const std::string& locale); 
-        void secureOk(const std::string& response); 
-        void tuneOk(uint16_t channelMax, uint16_t frameMax, uint16_t heartbeat); 
+                     const std::string& locale);
+        void secureOk(const std::string& response);
+        void tuneOk(uint16_t channelMax, uint16_t frameMax, uint16_t heartbeat);
         void heartbeat() {}
         void open(const std::string& virtualHost,
-                  const framing::Array& capabilities, bool insist); 
-        void close(uint16_t replyCode, const std::string& replyText); 
-        void closeOk(); 
+                  const framing::Array& capabilities, bool insist);
+        void close(uint16_t replyCode, const std::string& replyText);
+        void closeOk();
 
 
         void start(const qpid::framing::FieldTable& serverProperties,
                    const framing::Array& mechanisms,
                    const framing::Array& locales);
-        
+
         void secure(const std::string& challenge);
-        
+
         void tune(uint16_t channelMax,
                   uint16_t frameMax,
                   uint16_t heartbeatMin,
                   uint16_t heartbeatMax);
-        
+
         void openOk(const framing::Array& knownHosts);
-        
-        void redirect(const std::string& host, const framing::Array& knownHosts);        
+
+        void redirect(const std::string& host, const framing::Array& knownHosts);
     };
     std::auto_ptr<Handler> handler;
   public:
diff --git a/qpid/cpp/src/qpid/broker/Link.cpp b/qpid/cpp/src/qpid/broker/Link.cpp
index f5a7f3a4c3..12cbf48986 100644
--- a/qpid/cpp/src/qpid/broker/Link.cpp
+++ b/qpid/cpp/src/qpid/broker/Link.cpp
@@ -26,10 +26,13 @@
 #include "qpid/agent/ManagementAgent.h"
 #include "boost/bind.hpp"
 #include "qpid/log/Statement.h"
+#include "qpid/framing/reply_exceptions.h"
+#include "AclModule.h"
 
 using namespace qpid::broker;
 using qpid::framing::Buffer;
 using qpid::framing::FieldTable;
+using qpid::framing::NotAllowedException;
 using qpid::management::ManagementAgent;
 using qpid::management::ManagementObject;
 using qpid::management::Manageable;
@@ -154,6 +157,12 @@ void Link::destroy ()
     Mutex::ScopedLock mutex(lock);
     Bridges toDelete;
 
+    AclModule* acl = getBroker()->getAcl();
+    std::string userID = getUsername() + "@" + getBroker()->getOptions().realm;
+    if (acl && !acl->authorise(userID,acl::DELETE,acl::LINK,"")){
+    	throw NotAllowedException("ACL denied delete link request");
+    }
+
     QPID_LOG (info, "Inter-broker link to " << host << ":" << port << " removed by management");
     if (connection)
         connection->close(403, "closed by management");
diff --git a/qpid/cpp/src/qpid/broker/Link.h b/qpid/cpp/src/qpid/broker/Link.h
index dea28aad22..d09f58d9e4 100644
--- a/qpid/cpp/src/qpid/broker/Link.h
+++ b/qpid/cpp/src/qpid/broker/Link.h
@@ -110,6 +110,7 @@ namespace qpid {
             string getAuthMechanism() { return authMechanism; }
             string getUsername()      { return username; }
             string getPassword()      { return password; }
+            Broker* getBroker()       { return broker; }
 
             void notifyConnectionForced(const std::string text);
author	Rajith Muditha Attapattu <rajith@apache.org>	2008-09-30 16:50:02 +0000
committer	Rajith Muditha Attapattu <rajith@apache.org>	2008-09-30 16:50:02 +0000
commit	b114ea977d82a8dce318c084b9b64253e26f109f (patch)
tree	43fae24dc3c5244fd63cdc878298cfebc0b2c259 /qpid/cpp/src
parent	aa5bbe424e19fb9640bac46adecb57fb30b23337 (diff)
download	qpid-python-b114ea977d82a8dce318c084b9b64253e26f109f.tar.gz