char *qd_entity_opt_string(qd_entity_t *entity, const char* attribute, const char* default_value) { if (qd_entity_has(entity, attribute)) return qd_entity_get_string(entity, attribute); else return default_value ? strdup(default_value) : NULL; }
qd_error_t qd_log_entity(qd_entity_t *entity) { qd_error_clear(); char* module = qd_entity_get_string(entity, "module"); QD_ERROR_RET(); sys_mutex_lock(log_source_lock); qd_log_source_t *src = qd_log_source_lh(module); /* The original log source */ free(module); qd_log_source_t copy = *src; /* A copy to modify outside the lock. */ sys_mutex_unlock(log_source_lock); if (qd_entity_has(entity, "enable")) { char *enable = qd_entity_get_string(entity, "enable"); copy.mask = enable_mask(enable); free(enable); } QD_ERROR_RET(); if (qd_entity_has(entity, "timestamp")) copy.timestamp = qd_entity_get_bool(entity, "timestamp"); QD_ERROR_RET(); if (qd_entity_has(entity, "source")) copy.source = qd_entity_get_bool(entity, "source"); QD_ERROR_RET(); if (qd_entity_has(entity, "output")) { log_sink_free_lh(copy.sink); /* DEFAULT source may already have a sink */ char* output = qd_entity_get_string(entity, "output"); QD_ERROR_RET(); copy.sink = log_sink_lh(output); free(output); if (copy.sink->syslog) /* Timestamp off for syslog. */ copy.timestamp = 0; } sys_mutex_lock(log_source_lock); *src = copy; sys_mutex_unlock(log_source_lock); return qd_error_code(); }
/** Look up user/host/app in python policyRuleset and give the AMQP Open * a go-no_go decision. Return false if the mechanics of calling python * fails. A policy lookup will deny the connection by returning a blank * usergroup name in the name buffer. * Connection and connection denial counting is done in the python code. * @param[in] policy pointer to policy * @param[in] username authenticated user name * @param[in] hostip numeric host ip address * @param[in] app application name received in remote AMQP Open.hostname * @param[in] conn_name connection name for tracking * @param[out] name_buf pointer to settings name buffer * @param[in] name_buf_size size of settings_buf **/ bool qd_policy_open_lookup_user( qd_policy_t *policy, const char *username, const char *hostip, const char *app, const char *conn_name, char *name_buf, int name_buf_size, uint64_t conn_id, qd_policy_settings_t *settings) { // TODO: crolke 2016-03-24 - Workaround for PROTON-1133: Port number is included in Open hostname // Strip the ':NNNN', if any, from the app name so that policy will work with proton 0.12 char appname[HOST_NAME_MAX + 1]; strncpy(appname, app, HOST_NAME_MAX); appname[HOST_NAME_MAX] = 0; char * colonp = strstr(appname, ":"); if (colonp) { *colonp = 0; } // Lookup the user/host/app for allow/deny and to get settings name bool res = false; qd_python_lock_state_t lock_state = qd_python_lock(); PyObject *module = PyImport_ImportModule("qpid_dispatch_internal.policy.policy_manager"); if (module) { PyObject *lookup_user = PyObject_GetAttrString(module, "policy_lookup_user"); if (lookup_user) { PyObject *result = PyObject_CallFunction(lookup_user, "(OssssK)", (PyObject *)policy->py_policy_manager, username, hostip, appname, conn_name, conn_id); if (result) { const char *res_string = PyString_AsString(result); strncpy(name_buf, res_string, name_buf_size); Py_XDECREF(result); res = true; // settings name returned } else { qd_log(policy->log_source, QD_LOG_DEBUG, "Internal: lookup_user: result"); } Py_XDECREF(lookup_user); } else { qd_log(policy->log_source, QD_LOG_DEBUG, "Internal: lookup_user: lookup_user"); } } if (!res) { if (module) { Py_XDECREF(module); } qd_python_unlock(lock_state); return false; } // if (name_buf[0]) { // Go get the named settings res = false; PyObject *upolicy = PyDict_New(); if (upolicy) { PyObject *lookup_settings = PyObject_GetAttrString(module, "policy_lookup_settings"); if (lookup_settings) { PyObject *result2 = PyObject_CallFunction(lookup_settings, "(OssO)", (PyObject *)policy->py_policy_manager, appname, name_buf, upolicy); if (result2) { settings->maxFrameSize = qd_entity_opt_long((qd_entity_t*)upolicy, "maxFrameSize", 0); settings->maxMessageSize = qd_entity_opt_long((qd_entity_t*)upolicy, "maxMessageSize", 0); settings->maxSessionWindow = qd_entity_opt_long((qd_entity_t*)upolicy, "maxSessionWindow", 0); settings->maxSessions = qd_entity_opt_long((qd_entity_t*)upolicy, "maxSessions", 0); settings->maxSenders = qd_entity_opt_long((qd_entity_t*)upolicy, "maxSenders", 0); settings->maxReceivers = qd_entity_opt_long((qd_entity_t*)upolicy, "maxReceivers", 0); settings->allowAnonymousSender = qd_entity_opt_bool((qd_entity_t*)upolicy, "allowAnonymousSender", false); settings->allowDynamicSrc = qd_entity_opt_bool((qd_entity_t*)upolicy, "allowDynamicSrc", false); settings->sources = qd_entity_get_string((qd_entity_t*)upolicy, "sources"); settings->targets = qd_entity_get_string((qd_entity_t*)upolicy, "targets"); settings->denialCounts = (qd_policy_denial_counts_t*) qd_entity_get_long((qd_entity_t*)upolicy, "denialCounts"); Py_XDECREF(result2); res = true; // named settings content returned } else { qd_log(policy->log_source, QD_LOG_DEBUG, "Internal: lookup_user: result2"); } Py_XDECREF(lookup_settings); } else { qd_log(policy->log_source, QD_LOG_DEBUG, "Internal: lookup_user: lookup_settings"); } Py_XDECREF(upolicy); } else { qd_log(policy->log_source, QD_LOG_DEBUG, "Internal: lookup_user: upolicy"); } } Py_XDECREF(module); qd_python_unlock(lock_state); if (name_buf[0]) { qd_log(policy->log_source, QD_LOG_TRACE, "ALLOW AMQP Open lookup_user: %s, hostip: %s, app: %s, connection: %s. Usergroup: '%s'%s", username, hostip, appname, conn_name, name_buf, (res ? "" : " Internal error.")); } else { // Denials are logged in python code } return res; }
static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *config, qd_entity_t* entity) { qd_error_clear(); bool authenticatePeer = qd_entity_opt_bool(entity, "authenticatePeer", false); CHECK(); char *stripAnnotations = qd_entity_opt_string(entity, "stripAnnotations", 0); CHECK(); bool requireEncryption = qd_entity_opt_bool(entity, "requireEncryption", false); CHECK(); bool requireSsl = qd_entity_opt_bool(entity, "requireSsl", false); CHECK(); bool depRequirePeerAuth = qd_entity_opt_bool(entity, "requirePeerAuth", false); CHECK(); bool depAllowUnsecured = qd_entity_opt_bool(entity, "allowUnsecured", !requireSsl); CHECK(); memset(config, 0, sizeof(*config)); config->host = qd_entity_get_string(entity, "addr"); CHECK(); config->port = qd_entity_get_string(entity, "port"); CHECK(); config->name = qd_entity_opt_string(entity, "name", 0); CHECK(); config->role = qd_entity_get_string(entity, "role"); CHECK(); config->protocol_family = qd_entity_opt_string(entity, "protocolFamily", 0); CHECK(); config->max_frame_size = qd_entity_get_long(entity, "maxFrameSize"); CHECK(); config->idle_timeout_seconds = qd_entity_get_long(entity, "idleTimeoutSeconds"); CHECK(); config->sasl_username = qd_entity_opt_string(entity, "saslUsername", 0); CHECK(); config->sasl_password = qd_entity_opt_string(entity, "saslPassword", 0); CHECK(); config->sasl_mechanisms = qd_entity_opt_string(entity, "saslMechanisms", 0); CHECK(); config->ssl_enabled = has_attrs(entity, ssl_attributes, ssl_attributes_count); config->link_capacity = qd_entity_opt_long(entity, "linkCapacity", 0); CHECK(); // // Handle the defaults for link capacity. // if (config->link_capacity == 0) { if (strcmp("inter-router", config->role) == 0) config->link_capacity = 100000; // This is effectively infinite since session flow control will be more stringent. else config->link_capacity = 250; } // // For now we are hardwiring this attribute to true. If there's an outcry from the // user community, we can revisit this later. // config->allowInsecureAuthentication = true; load_strip_annotations(config, stripAnnotations); config->requireAuthentication = authenticatePeer || depRequirePeerAuth; config->requireEncryption = requireEncryption || !depAllowUnsecured; if (config->ssl_enabled) { config->ssl_required = requireSsl || !depAllowUnsecured; config->ssl_require_peer_authentication = config->sasl_mechanisms && strstr(config->sasl_mechanisms, "EXTERNAL") != 0; config->ssl_certificate_file = qd_entity_opt_string(entity, "certFile", 0); CHECK(); config->ssl_private_key_file = qd_entity_opt_string(entity, "keyFile", 0); CHECK(); config->ssl_password = qd_entity_opt_string(entity, "password", 0); CHECK(); config->ssl_trusted_certificate_db = qd_entity_opt_string(entity, "certDb", 0); CHECK(); config->ssl_trusted_certificates = qd_entity_opt_string(entity, "trustedCerts", 0); CHECK(); config->ssl_uid_format = qd_entity_opt_string(entity, "uidFormat", 0); CHECK(); config->ssl_display_name_file = qd_entity_opt_string(entity, "displayNameFile", 0); CHECK(); } free(stripAnnotations); return QD_ERROR_NONE; error: qd_server_config_free(config); return qd_error_code(); }
static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *config, qd_entity_t* entity, bool is_listener) { qd_error_clear(); bool authenticatePeer = qd_entity_opt_bool(entity, "authenticatePeer", false); CHECK(); bool verifyHostName = qd_entity_opt_bool(entity, "verifyHostName", true); CHECK(); bool requireEncryption = qd_entity_opt_bool(entity, "requireEncryption", false); CHECK(); bool requireSsl = qd_entity_opt_bool(entity, "requireSsl", false); CHECK(); memset(config, 0, sizeof(*config)); config->log_message = qd_entity_opt_string(entity, "logMessage", 0); CHECK(); config->log_bits = populate_log_message(config); config->port = qd_entity_get_string(entity, "port"); CHECK(); config->name = qd_entity_opt_string(entity, "name", 0); CHECK(); config->role = qd_entity_get_string(entity, "role"); CHECK(); config->inter_router_cost = qd_entity_opt_long(entity, "cost", 1); CHECK(); config->protocol_family = qd_entity_opt_string(entity, "protocolFamily", 0); CHECK(); config->http = qd_entity_opt_bool(entity, "http", false); CHECK(); config->http_root = qd_entity_opt_string(entity, "httpRoot", false); CHECK(); config->http = config->http || config->http_root; /* httpRoot implies http */ config->max_frame_size = qd_entity_get_long(entity, "maxFrameSize"); CHECK(); config->max_sessions = qd_entity_get_long(entity, "maxSessions"); CHECK(); uint64_t ssn_frames = qd_entity_opt_long(entity, "maxSessionFrames", 0); CHECK(); config->idle_timeout_seconds = qd_entity_get_long(entity, "idleTimeoutSeconds"); CHECK(); if (is_listener) { config->initial_handshake_timeout_seconds = qd_entity_get_long(entity, "initialHandshakeTimeoutSeconds"); CHECK(); } config->sasl_username = qd_entity_opt_string(entity, "saslUsername", 0); CHECK(); config->sasl_password = qd_entity_opt_string(entity, "saslPassword", 0); CHECK(); config->sasl_mechanisms = qd_entity_opt_string(entity, "saslMechanisms", 0); CHECK(); config->ssl_profile = qd_entity_opt_string(entity, "sslProfile", 0); CHECK(); config->sasl_plugin = qd_entity_opt_string(entity, "saslPlugin", 0); CHECK(); config->link_capacity = qd_entity_opt_long(entity, "linkCapacity", 0); CHECK(); config->multi_tenant = qd_entity_opt_bool(entity, "multiTenant", false); CHECK(); set_config_host(config, entity); // // Handle the defaults for various settings // if (config->link_capacity == 0) config->link_capacity = 250; if (config->max_sessions == 0 || config->max_sessions > 32768) // Proton disallows > 32768 config->max_sessions = 32768; if (config->max_frame_size < QD_AMQP_MIN_MAX_FRAME_SIZE) // Silently promote the minimum max-frame-size // Proton will do this but the number is needed for the // incoming capacity calculation. config->max_frame_size = QD_AMQP_MIN_MAX_FRAME_SIZE; // // Given session frame count and max frame size compute session incoming_capacity // if (ssn_frames == 0) config->incoming_capacity = (sizeof(size_t) < 8) ? 0x7FFFFFFFLL : 0x7FFFFFFFLL * config->max_frame_size; else { uint64_t mfs = (uint64_t) config->max_frame_size; uint64_t trial_ic = ssn_frames * mfs; uint64_t limit = (sizeof(size_t) < 8) ? (1ll << 31) - 1 : 0; if (limit == 0 || trial_ic < limit) { // Silently promote incoming capacity of zero to one config->incoming_capacity = (trial_ic < QD_AMQP_MIN_MAX_FRAME_SIZE ? QD_AMQP_MIN_MAX_FRAME_SIZE : trial_ic); } else { config->incoming_capacity = limit; uint64_t computed_ssn_frames = limit / mfs; qd_log(qd->connection_manager->log_source, QD_LOG_WARNING, "Server configuation for I/O adapter entity name:'%s', host:'%s', port:'%s', " "requested maxSessionFrames truncated from %"PRId64" to %"PRId64, config->name, config->host, config->port, ssn_frames, computed_ssn_frames); } } // // For now we are hardwiring this attribute to true. If there's an outcry from the // user community, we can revisit this later. // config->allowInsecureAuthentication = true; config->verify_host_name = verifyHostName; char *stripAnnotations = qd_entity_opt_string(entity, "stripAnnotations", 0); load_strip_annotations(config, stripAnnotations); free(stripAnnotations); stripAnnotations = 0; CHECK(); config->requireAuthentication = authenticatePeer; config->requireEncryption = requireEncryption || requireSsl; if (config->ssl_profile) { config->ssl_required = requireSsl; config->ssl_require_peer_authentication = config->sasl_mechanisms && strstr(config->sasl_mechanisms, "EXTERNAL") != 0; qd_config_ssl_profile_t *ssl_profile = qd_find_ssl_profile(qd->connection_manager, config->ssl_profile); if (ssl_profile) { config->ssl_certificate_file = SSTRDUP(ssl_profile->ssl_certificate_file); config->ssl_private_key_file = SSTRDUP(ssl_profile->ssl_private_key_file); config->ciphers = SSTRDUP(ssl_profile->ciphers); config->ssl_password = SSTRDUP(ssl_profile->ssl_password); config->ssl_trusted_certificate_db = SSTRDUP(ssl_profile->ssl_trusted_certificate_db); config->ssl_trusted_certificates = SSTRDUP(ssl_profile->ssl_trusted_certificates); config->ssl_uid_format = SSTRDUP(ssl_profile->ssl_uid_format); config->ssl_display_name_file = SSTRDUP(ssl_profile->ssl_display_name_file); } } if (config->sasl_plugin) { qd_config_sasl_plugin_t *sasl_plugin = qd_find_sasl_plugin(qd->connection_manager, config->sasl_plugin); if (sasl_plugin) { config->auth_service = SSTRDUP(sasl_plugin->auth_service); config->sasl_init_hostname = SSTRDUP(sasl_plugin->sasl_init_hostname); qd_log(qd->connection_manager->log_source, QD_LOG_INFO, "Using auth service %s from SASL Plugin %s", config->auth_service, config->sasl_plugin); if (sasl_plugin->auth_ssl_profile) { qd_config_ssl_profile_t *auth_ssl_profile = qd_find_ssl_profile(qd->connection_manager, sasl_plugin->auth_ssl_profile); config->auth_ssl_conf = pn_ssl_domain(PN_SSL_MODE_CLIENT); if (auth_ssl_profile->ssl_certificate_file) { if (pn_ssl_domain_set_credentials(config->auth_ssl_conf, auth_ssl_profile->ssl_certificate_file, auth_ssl_profile->ssl_private_key_file, auth_ssl_profile->ssl_password)) { qd_error(QD_ERROR_RUNTIME, "Cannot set SSL credentials for authentication service"); CHECK(); } } if (auth_ssl_profile->ssl_trusted_certificate_db) { if (pn_ssl_domain_set_trusted_ca_db(config->auth_ssl_conf, auth_ssl_profile->ssl_trusted_certificate_db)) { qd_error(QD_ERROR_RUNTIME, "Cannot set trusted SSL certificate db for authentication service" ); CHECK(); } else { if (pn_ssl_domain_set_peer_authentication(config->auth_ssl_conf, PN_SSL_VERIFY_PEER, auth_ssl_profile->ssl_trusted_certificate_db)) { qd_error(QD_ERROR_RUNTIME, "Cannot set SSL peer verification for authentication service"); CHECK(); } } } if (auth_ssl_profile->ciphers) { if (pn_ssl_domain_set_ciphers(config->auth_ssl_conf, auth_ssl_profile->ciphers)) { return qd_error(QD_ERROR_RUNTIME, "Cannot set ciphers. The ciphers string might be invalid. Use openssl ciphers -v <ciphers> to validate"); } } } } else { qd_error(QD_ERROR_RUNTIME, "Cannot find sasl plugin %s", config->sasl_plugin); CHECK(); } } return QD_ERROR_NONE; error: qd_server_config_free(config); return qd_error_code(); }
static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *config, qd_entity_t* entity, qd_config_ssl_profile_t **ssl_profile) { qd_error_clear(); bool authenticatePeer = qd_entity_opt_bool(entity, "authenticatePeer", false); CHECK(); bool verifyHostName = qd_entity_opt_bool(entity, "verifyHostName", true); CHECK(); char *stripAnnotations = qd_entity_opt_string(entity, "stripAnnotations", 0); CHECK(); bool requireEncryption = qd_entity_opt_bool(entity, "requireEncryption", false); CHECK(); bool requireSsl = qd_entity_opt_bool(entity, "requireSsl", false); CHECK(); bool depRequirePeerAuth = qd_entity_opt_bool(entity, "requirePeerAuth", false); CHECK(); bool depAllowUnsecured = qd_entity_opt_bool(entity, "allowUnsecured", !requireSsl); CHECK(); memset(config, 0, sizeof(*config)); config->port = qd_entity_get_string(entity, "port"); CHECK(); config->name = qd_entity_opt_string(entity, "name", 0); CHECK(); config->role = qd_entity_get_string(entity, "role"); CHECK(); config->inter_router_cost = qd_entity_opt_long(entity, "cost", 1); CHECK(); config->protocol_family = qd_entity_opt_string(entity, "protocolFamily", 0); CHECK(); config->max_frame_size = qd_entity_get_long(entity, "maxFrameSize"); CHECK(); config->max_sessions = qd_entity_get_long(entity, "maxSessions"); CHECK(); uint64_t ssn_frames = qd_entity_get_long(entity, "maxSessionFrames"); CHECK(); config->idle_timeout_seconds = qd_entity_get_long(entity, "idleTimeoutSeconds"); CHECK(); config->sasl_username = qd_entity_opt_string(entity, "saslUsername", 0); CHECK(); config->sasl_password = qd_entity_opt_string(entity, "saslPassword", 0); CHECK(); config->sasl_mechanisms = qd_entity_opt_string(entity, "saslMechanisms", 0); CHECK(); config->ssl_profile = qd_entity_opt_string(entity, "sslProfile", 0); CHECK(); config->link_capacity = qd_entity_opt_long(entity, "linkCapacity", 0); CHECK(); set_config_host(config, entity); // // Handle the defaults for various settings // if (config->link_capacity == 0) config->link_capacity = 250; if (config->max_sessions == 0 || config->max_sessions > 32768) // Proton disallows > 32768 config->max_sessions = 32768; if (config->max_frame_size < QD_AMQP_MIN_MAX_FRAME_SIZE) // Silently promote the minimum max-frame-size // Proton will do this but the number is needed for the // incoming capacity calculation. config->max_frame_size = QD_AMQP_MIN_MAX_FRAME_SIZE; // // Given session frame count and max frame size compute session incoming_capacity // Limit total capacity to 2^31-1. // uint64_t mfs = (uint64_t)config->max_frame_size; uint64_t trial_ic = ssn_frames * mfs; uint64_t limit = (1ll << 31) - 1; if (trial_ic < limit) { // Silently promote incoming capacity of zero to one config->incoming_capacity = (trial_ic < QD_AMQP_MIN_MAX_FRAME_SIZE ? QD_AMQP_MIN_MAX_FRAME_SIZE : trial_ic); } else { config->incoming_capacity = limit; uint64_t computed_ssn_frames = limit / mfs; qd_log(qd->connection_manager->log_source, QD_LOG_WARNING, "Server configuation for I/O adapter entity name:'%s', host:'%s', port:'%s', " "requested maxSessionFrames truncated from %llu to %llu", config->name, config->host, config->port, ssn_frames, computed_ssn_frames); } // // For now we are hardwiring this attribute to true. If there's an outcry from the // user community, we can revisit this later. // config->allowInsecureAuthentication = true; config->verify_host_name = verifyHostName; load_strip_annotations(config, stripAnnotations); config->requireAuthentication = authenticatePeer || depRequirePeerAuth; config->requireEncryption = requireEncryption || !depAllowUnsecured; if (config->ssl_profile) { config->ssl_required = requireSsl || !depAllowUnsecured; config->ssl_require_peer_authentication = config->sasl_mechanisms && strstr(config->sasl_mechanisms, "EXTERNAL") != 0; *ssl_profile = qd_find_ssl_profile(qd->connection_manager, config->ssl_profile); if (*ssl_profile) { config->ssl_certificate_file = (*ssl_profile)->ssl_certificate_file; config->ssl_private_key_file = (*ssl_profile)->ssl_private_key_file; config->ssl_password = (*ssl_profile)->ssl_password; config->ssl_trusted_certificate_db = (*ssl_profile)->ssl_trusted_certificate_db; config->ssl_trusted_certificates = (*ssl_profile)->ssl_trusted_certificates; config->ssl_uid_format = (*ssl_profile)->ssl_uid_format; config->ssl_display_name_file = (*ssl_profile)->ssl_display_name_file; } sys_atomic_inc(&(*ssl_profile)->ref_count); } free(stripAnnotations); return QD_ERROR_NONE; error: qd_server_config_free(config); return qd_error_code(); }
/** Look up user/host/vhost in python vhost and give the AMQP Open * a go-no_go decision. Return false if the mechanics of calling python * fails. A policy lookup will deny the connection by returning a blank * usergroup name in the name buffer. * Connection and connection denial counting is done in the python code. * @param[in] policy pointer to policy * @param[in] username authenticated user name * @param[in] hostip numeric host ip address * @param[in] vhost application name received in remote AMQP Open.hostname * @param[in] conn_name connection name for tracking * @param[out] name_buf pointer to settings name buffer * @param[in] name_buf_size size of settings_buf **/ bool qd_policy_open_lookup_user( qd_policy_t *policy, const char *username, const char *hostip, const char *vhost, const char *conn_name, char *name_buf, int name_buf_size, uint64_t conn_id, qd_policy_settings_t *settings) { // Lookup the user/host/vhost for allow/deny and to get settings name bool res = false; qd_python_lock_state_t lock_state = qd_python_lock(); PyObject *module = PyImport_ImportModule("qpid_dispatch_internal.policy.policy_manager"); if (module) { PyObject *lookup_user = PyObject_GetAttrString(module, "policy_lookup_user"); if (lookup_user) { PyObject *result = PyObject_CallFunction(lookup_user, "(OssssK)", (PyObject *)policy->py_policy_manager, username, hostip, vhost, conn_name, conn_id); if (result) { const char *res_string = PyString_AsString(result); strncpy(name_buf, res_string, name_buf_size); Py_XDECREF(result); res = true; // settings name returned } else { qd_log(policy->log_source, QD_LOG_DEBUG, "Internal: lookup_user: result"); } Py_XDECREF(lookup_user); } else { qd_log(policy->log_source, QD_LOG_DEBUG, "Internal: lookup_user: lookup_user"); } } if (!res) { if (module) { Py_XDECREF(module); } qd_python_unlock(lock_state); return false; } // if (name_buf[0]) { // Go get the named settings res = false; PyObject *upolicy = PyDict_New(); if (upolicy) { PyObject *lookup_settings = PyObject_GetAttrString(module, "policy_lookup_settings"); if (lookup_settings) { PyObject *result2 = PyObject_CallFunction(lookup_settings, "(OssO)", (PyObject *)policy->py_policy_manager, vhost, name_buf, upolicy); if (result2) { settings->maxFrameSize = qd_entity_opt_long((qd_entity_t*)upolicy, "maxFrameSize", 0); settings->maxMessageSize = qd_entity_opt_long((qd_entity_t*)upolicy, "maxMessageSize", 0); settings->maxSessionWindow = qd_entity_opt_long((qd_entity_t*)upolicy, "maxSessionWindow", 0); settings->maxSessions = qd_entity_opt_long((qd_entity_t*)upolicy, "maxSessions", 0); settings->maxSenders = qd_entity_opt_long((qd_entity_t*)upolicy, "maxSenders", 0); settings->maxReceivers = qd_entity_opt_long((qd_entity_t*)upolicy, "maxReceivers", 0); settings->allowAnonymousSender = qd_entity_opt_bool((qd_entity_t*)upolicy, "allowAnonymousSender", false); settings->allowDynamicSource = qd_entity_opt_bool((qd_entity_t*)upolicy, "allowDynamicSource", false); settings->allowUserIdProxy = qd_entity_opt_bool((qd_entity_t*)upolicy, "allowUserIdProxy", false); settings->sources = qd_entity_get_string((qd_entity_t*)upolicy, "sources"); settings->targets = qd_entity_get_string((qd_entity_t*)upolicy, "targets"); settings->denialCounts = (qd_policy_denial_counts_t*) qd_entity_get_long((qd_entity_t*)upolicy, "denialCounts"); Py_XDECREF(result2); res = true; // named settings content returned } else { qd_log(policy->log_source, QD_LOG_DEBUG, "Internal: lookup_user: result2"); } Py_XDECREF(lookup_settings); } else { qd_log(policy->log_source, QD_LOG_DEBUG, "Internal: lookup_user: lookup_settings"); } Py_XDECREF(upolicy); } else { qd_log(policy->log_source, QD_LOG_DEBUG, "Internal: lookup_user: upolicy"); } } Py_XDECREF(module); qd_python_unlock(lock_state); if (name_buf[0]) { qd_log(policy->log_source, QD_LOG_TRACE, "ALLOW AMQP Open lookup_user: %s, rhost: %s, vhost: %s, connection: %s. Usergroup: '%s'%s", username, hostip, vhost, conn_name, name_buf, (res ? "" : " Internal error.")); } else { // Denials are logged in python code } return res; }