qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From g...@apache.org
Subject svn commit: r1540041 - in /qpid/trunk/qpid/cpp/src/qpid/broker/amqp: Authorise.cpp Authorise.h Session.cpp
Date Fri, 08 Nov 2013 14:08:14 GMT
Author: gsim
Date: Fri Nov  8 14:08:14 2013
New Revision: 1540041

URL: http://svn.apache.org/r1540041
Log:
QPID-5299: check access permissions before resolving node

Modified:
    qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Authorise.cpp
    qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Authorise.h
    qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp

Modified: qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Authorise.cpp
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Authorise.cpp?rev=1540041&r1=1540040&r2=1540041&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Authorise.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Authorise.cpp Fri Nov  8 14:08:14 2013
@@ -128,4 +128,22 @@ void Authorise::interlink()
     }
 }
 
+void Authorise::access(const std::string& node, bool queueRequested, bool exchangeRequested)
+{
+    if (acl) {
+        std::map<acl::Property, std::string> params;
+        bool checkExchange = true;
+        bool checkQueue = true;
+        if (exchangeRequested) checkQueue = false;
+        else if (queueRequested) checkExchange = false;
+
+        bool allowExchange = !checkExchange || acl->authorise(user, acl::ACT_ACCESS, acl::OBJ_EXCHANGE,
node, &params);
+        bool allowQueue = !checkQueue || acl->authorise(user, acl::ACT_ACCESS, acl::OBJ_QUEUE,
node, &params);
+
+        if (!allowQueue || !allowExchange) {
+            throw Exception(qpid::amqp::error_conditions::UNAUTHORIZED_ACCESS, QPID_MSG("ACL
denied access request to " << node << " from " << user));
+        }
+    }
+}
+
 }}} // namespace qpid::broker::amqp

Modified: qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Authorise.h
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Authorise.h?rev=1540041&r1=1540040&r2=1540041&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Authorise.h (original)
+++ qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Authorise.h Fri Nov  8 14:08:14 2013
@@ -48,6 +48,13 @@ class Authorise
     void outgoing(boost::shared_ptr<Queue>);
     void route(boost::shared_ptr<Exchange>, const Message&);
     void interlink();
+    /**
+     * Used to determine whether the user has access permission for a
+     * given node name. If a specific type of node was requested, only
+     * acces to that type is checked. Otherwise access to either queue
+     * or exchange is required.
+     */
+    void access(const std::string& name, bool queueRequested, bool exchangeRequested);
   private:
     const std::string user;
     AclModule* const acl;

Modified: qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp?rev=1540041&r1=1540040&r2=1540041&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp Fri Nov  8 14:08:14 2013
@@ -199,13 +199,25 @@ Session::Session(pn_session_t* s, Connec
 
 Session::ResolvedNode Session::resolve(const std::string name, pn_terminus_t* terminus, bool
incoming)
 {
-    ResolvedNode node;
-    node.exchange = connection.getBroker().getExchanges().find(name);
-    node.queue = connection.getBroker().getQueues().find(name);
-    node.topic = connection.getTopics().get(name);
-    bool createOnDemand = is_capability_requested(CREATE_ON_DEMAND, pn_terminus_capabilities(terminus));
     bool isQueueRequested = is_capability_requested(QUEUE, pn_terminus_capabilities(terminus));
     bool isTopicRequested = is_capability_requested(TOPIC, pn_terminus_capabilities(terminus));
+    if (isTopicRequested && isQueueRequested) {
+        //requesting both renders each request meaningless
+        isQueueRequested = false;
+        isTopicRequested = false;
+    }
+    //check whether user is even allowed access to queues/topics before resolving
+    authorise.access(name, isQueueRequested, isTopicRequested);
+    ResolvedNode node;
+    if (isTopicRequested || !isQueueRequested) {
+        node.topic = connection.getTopics().get(name);
+        if (node.topic) node.exchange = node.topic->getExchange();
+        else node.exchange = connection.getBroker().getExchanges().find(name);
+    }
+    if (isQueueRequested || !isTopicRequested) {
+        node.queue = connection.getBroker().getQueues().find(name);
+    }
+    bool createOnDemand = is_capability_requested(CREATE_ON_DEMAND, pn_terminus_capabilities(terminus));
     //Strictly speaking, properties should only be specified when the
     //terminus is dynamic. However we will not enforce that here. If
     //properties are set on the attach request, we will set them on
@@ -213,7 +225,6 @@ Session::ResolvedNode Session::resolve(c
     //qpid messaging API to be implemented over 1.0.
     node.properties.read(pn_terminus_properties(terminus));
 
-    if (node.topic) node.exchange = node.topic->getExchange();
     if (node.exchange && createOnDemand && isTopicRequested) {
         if (!node.properties.getExchangeType().empty() && node.properties.getExchangeType()
!= node.exchange->getType()) {
             //emulate 0-10 exchange-declare behaviour



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message