From 384cd0a4681418fe03fc6121ee71eebc3878b9d4 Mon Sep 17 00:00:00 2001 From: "Carl C. Trieloff" Date: Thu, 31 Jul 2008 20:45:44 +0000 Subject: - Implementation of ACL plugin - Apply ACL to Exchange, Queue, Binding, Subscribe - Follow Java ACL types, few added To complete the implementation of ACL the following items are remaining. - ACL on message transfer - ACL on MGNT commands - Reading ACL from File, into auth map. git-svn-id: https://svn.apache.org/repos/asf/incubator/qpid/trunk/qpid@681479 13f79535-47bb-0310-9956-ffa450edef68 --- cpp/src/qpid/acl/Acl.cpp | 105 +++++++++++++++++++++++++++++++++++++++++ cpp/src/qpid/acl/Acl.h | 75 +++++++++++++++++++++++++++++ cpp/src/qpid/acl/AclPlugin.cpp | 89 ++++++++++++++++++++++++++++++++++ 3 files changed, 269 insertions(+) create mode 100644 cpp/src/qpid/acl/Acl.cpp create mode 100644 cpp/src/qpid/acl/Acl.h create mode 100644 cpp/src/qpid/acl/AclPlugin.cpp (limited to 'cpp/src/qpid/acl') diff --git a/cpp/src/qpid/acl/Acl.cpp b/cpp/src/qpid/acl/Acl.cpp new file mode 100644 index 0000000000..3f78317d82 --- /dev/null +++ b/cpp/src/qpid/acl/Acl.cpp @@ -0,0 +1,105 @@ +/* + * + * Copyright (c) 2006 The Apache Software Foundation + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +#include "Acl.h" + + +#include "qpid/broker/Broker.h" +#include "qpid/cluster/Cluster.h" +#include "qpid/Plugin.h" +#include "qpid/Options.h" +#include "qpid/shared_ptr.h" + +#include + +namespace qpid { +namespace acl { + +using namespace std; + + Acl::Acl (AclValues& av, broker::Broker& b): aclValues(av), broker(&b) + { + if (!readAclFile()) throw Exception("Could not read ACL file"); + QPID_LOG(info, "ACL Plugin loaded"); + + } + + std::string Acl::printAction(acl::Action action) + { + switch (action) + { + case CONSUME: return "Consume"; + case PUBLISH: return "Publish"; + case CREATE: return "Create"; + case ACCESS: return "Access"; + case BIND: return "Bind"; + case UNBIND: return "Unbind"; + case DELETE: return "Delete"; + case PURGE: return "Purge"; + default: return "Unknown"; + } + } + + std::string Acl::printObjType(acl::ObjectType objType) + { + switch (objType) + { + case QUEUE: return "Queue"; + case EXCHANGE: return "Exchnage"; + case ROUTINGKEY: return "RoutingKey"; + case SESSION: return "Session"; + default: return "Unknown"; + } + } + + bool Acl::authorise(std::string id, acl::Action action, acl::ObjectType objType, std::string name, std::map* + /*params*/) + { + if (aclValues.noEnforce) return true; + + // add real ACL check here... + AclResult aclreslt = ALLOWLOG; // hack to test, set based on real decision. + + switch (aclreslt) + { + case ALLOWLOG: + QPID_LOG(info, "ACL Allow log id:" << id <<" action:" << printAction(action) << " ObjectType:" << printObjType(objType) << " Name:" << name ); + case ALLOW: + return true; + case DENYNOLOG: + return false; + case DENY: + default: + QPID_LOG(info, "ACL Deny id:" << id << " action:" << printAction(action) << " ObjectType:" << printObjType(objType) << " Name:" << name); + return false; + } + + return false; + } + + bool Acl::readAclFile() + { + + return true; + } + + Acl::~Acl(){} + + + +}} // namespace qpid::acl diff --git a/cpp/src/qpid/acl/Acl.h b/cpp/src/qpid/acl/Acl.h new file mode 100644 index 0000000000..98400eb33d --- /dev/null +++ b/cpp/src/qpid/acl/Acl.h @@ -0,0 +1,75 @@ +#ifndef QPID_ACL_ACL_H +#define QPID_ACL_ACL_H + + +/* + * + * Copyright (c) 2006 The Apache Software Foundation + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + + + +#include "qpid/shared_ptr.h" +#include "qpid/RefCounted.h" +#include "qpid/broker/AclModule.h" +#include +#include + + +namespace qpid { +namespace broker { +class Broker; +} + +namespace acl { + +struct AclValues { + public: + bool noEnforce; + std::string aclFile; + + AclValues() {noEnforce = false; aclFile = "policy.acl"; } +}; + + +class Acl : public broker::AclModule, public RefCounted +{ + +public: + Acl (AclValues& av, broker::Broker& b); + + void initialize(); + + virtual bool authorise(std::string id, acl::Action action, acl::ObjectType objType, std::string name, std::map* params); + // create specilied authorise methods for cases that need faster matching as needed. + + virtual ~Acl(); +private: + std::string printAction(acl::Action action); + std::string printObjType(acl::ObjectType objType); + + acl::AclValues aclValues; + broker::Broker* broker; + + bool readAclFile(); + +}; + + + +}} // namespace qpid::acl + +#endif // QPID_ACL_ACL_H diff --git a/cpp/src/qpid/acl/AclPlugin.cpp b/cpp/src/qpid/acl/AclPlugin.cpp new file mode 100644 index 0000000000..8bc00e6a96 --- /dev/null +++ b/cpp/src/qpid/acl/AclPlugin.cpp @@ -0,0 +1,89 @@ +/* + * + * Copyright (c) 2006 The Apache Software Foundation + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +#include "qpid/acl/Acl.h" +#include "qpid/broker/Broker.h" +#include "qpid/Plugin.h" +#include "qpid/Options.h" +#include "qpid/shared_ptr.h" +#include "qpid/log/Statement.h" + +#include + +namespace qpid { +namespace acl { + +using namespace std; + +/** Note separating options from values to work around boost version differences. + * Old boost takes a reference to options objects, but new boost makes a copy. + * New boost allows a shared_ptr but that's not compatible with old boost. + */ +struct AclOptions : public Options { + AclValues& values; + + AclOptions(AclValues& v) : Options("ACL Options"), values(v) { + addOptions() + ("no-enforce-acl", optValue(values.noEnforce), "Do not enforce ACL") + ("acl-file", optValue(values.aclFile, "FILE"), "The policy file to load from, loaded from data dir") + ; + } +}; + +struct AclPlugin : public Plugin { + + AclValues values; + AclOptions options; + boost::intrusive_ptr acl; + + AclPlugin() : options(values) {} + + Options* getOptions() { return &options; } + + void init(broker::Broker& b) { + if (values.noEnforce){ + QPID_LOG(info, "ACL Disabled, no ACL checking being done."); + return; + } + if (acl) throw Exception("ACL plugin cannot be initialized twice in one process."); + acl = new Acl(values, b); + b.setAcl(acl.get()); + b.addFinalizer(boost::bind(&AclPlugin::shutdown, this)); + } + + template bool init(Plugin::Target& target) { + T* t = dynamic_cast(&target); + if (t) init(*t); + return t; + } + + void earlyInitialize(Plugin::Target&) {} + + void initialize(Plugin::Target& target) { + init(target); + } + + void shutdown() { acl = 0; } +}; + +static AclPlugin instance; // Static initialization. + +// For test purposes. +boost::intrusive_ptr getGlobalAcl() { return instance.acl; } + +}} // namespace qpid::acl -- cgit v1.2.1