qd_error_t qd_dispatch_configure_router(qd_dispatch_t *qd, qd_entity_t *entity)
{
qd_dispatch_set_router_id(qd, qd_entity_opt_string(entity, "routerId", 0));
QD_ERROR_RET();
if (! qd->router_id) {
qd_dispatch_set_router_id(qd, qd_entity_opt_string(entity, "id", 0));
QD_ERROR_RET();
}
assert(qd->router_id);
qd->router_mode = qd_entity_get_long(entity, "mode");
QD_ERROR_RET();
qd->thread_count = qd_entity_opt_long(entity, "workerThreads", 4);
QD_ERROR_RET();
if (! qd->sasl_config_path) {
qd->sasl_config_path = qd_entity_opt_string(entity, "saslConfigPath", 0);
QD_ERROR_RET();
}
if (! qd->sasl_config_name) {
qd->sasl_config_name = qd_entity_opt_string(entity, "saslConfigName", "qdrouterd");
QD_ERROR_RET();
}
char *dump_file = qd_entity_opt_string(entity, "debugDump", 0);
QD_ERROR_RET();
if (dump_file) {
qd_alloc_debug_dump(dump_file);
QD_ERROR_RET();
free(dump_file);
}
return QD_ERROR_NONE;
}
/**
* The Container Entity has been deprecated and will be removed in the future. Use the RouterEntity instead.
*/
qd_error_t qd_dispatch_configure_container(qd_dispatch_t *qd, qd_entity_t *entity)
{
// Add a log warning. Check to see if too early
qd->thread_count = qd_entity_opt_long(entity, "workerThreads", 4); QD_ERROR_RET();
qd->sasl_config_path = qd_entity_opt_string(entity, "saslConfigPath", 0); QD_ERROR_RET();
qd->sasl_config_name = qd_entity_opt_string(entity, "saslConfigName", 0); QD_ERROR_RET();
char *dump_file = qd_entity_opt_string(entity, "debugDump", 0); QD_ERROR_RET();
if (dump_file) {
qd_alloc_debug_dump(dump_file); QD_ERROR_RET();
free(dump_file);
}
return QD_ERROR_NONE;
}
qd_error_t qd_entity_configure_policy(qd_policy_t *policy, qd_entity_t *entity)
{
policy->max_connection_limit = qd_entity_opt_long(entity, "maximumConnections", 0); CHECK();
if (policy->max_connection_limit < 0)
return qd_error(QD_ERROR_CONFIG, "maximumConnections must be >= 0");
policy->policyFolder =
qd_entity_opt_string(entity, "policyFolder", 0); CHECK();
policy->enableAccessRules = qd_entity_opt_bool(entity, "enableAccessRules", false); CHECK();
qd_log(policy->log_source, QD_LOG_INFO, "Policy configured maximumConnections: %d, policyFolder: '%s', access rules enabled: '%s'",
policy->max_connection_limit, policy->policyFolder, (policy->enableAccessRules ? "true" : "false"));
return QD_ERROR_NONE;
error:
if (policy->policyFolder)
free(policy->policyFolder);
qd_policy_free(policy);
return qd_error_code();
}
/** Look up user/host/app in python policyRuleset and give the AMQP Open
* a go-no_go decision. Return false if the mechanics of calling python
* fails. A policy lookup will deny the connection by returning a blank
* usergroup name in the name buffer.
* Connection and connection denial counting is done in the python code.
* @param[in] policy pointer to policy
* @param[in] username authenticated user name
* @param[in] hostip numeric host ip address
* @param[in] app application name received in remote AMQP Open.hostname
* @param[in] conn_name connection name for tracking
* @param[out] name_buf pointer to settings name buffer
* @param[in] name_buf_size size of settings_buf
**/
bool qd_policy_open_lookup_user(
qd_policy_t *policy,
const char *username,
const char *hostip,
const char *app,
const char *conn_name,
char *name_buf,
int name_buf_size,
uint64_t conn_id,
qd_policy_settings_t *settings)
{
// TODO: crolke 2016-03-24 - Workaround for PROTON-1133: Port number is included in Open hostname
// Strip the ':NNNN', if any, from the app name so that policy will work with proton 0.12
char appname[HOST_NAME_MAX + 1];
strncpy(appname, app, HOST_NAME_MAX);
appname[HOST_NAME_MAX] = 0;
char * colonp = strstr(appname, ":");
if (colonp) {
*colonp = 0;
}
// Lookup the user/host/app for allow/deny and to get settings name
bool res = false;
qd_python_lock_state_t lock_state = qd_python_lock();
PyObject *module = PyImport_ImportModule("qpid_dispatch_internal.policy.policy_manager");
if (module) {
PyObject *lookup_user = PyObject_GetAttrString(module, "policy_lookup_user");
if (lookup_user) {
PyObject *result = PyObject_CallFunction(lookup_user, "(OssssK)",
(PyObject *)policy->py_policy_manager,
username, hostip, appname, conn_name, conn_id);
if (result) {
const char *res_string = PyString_AsString(result);
strncpy(name_buf, res_string, name_buf_size);
Py_XDECREF(result);
res = true; // settings name returned
} else {
qd_log(policy->log_source, QD_LOG_DEBUG, "Internal: lookup_user: result");
}
Py_XDECREF(lookup_user);
} else {
qd_log(policy->log_source, QD_LOG_DEBUG, "Internal: lookup_user: lookup_user");
}
}
if (!res) {
if (module) {
Py_XDECREF(module);
}
qd_python_unlock(lock_state);
return false;
}
//
if (name_buf[0]) {
// Go get the named settings
res = false;
PyObject *upolicy = PyDict_New();
if (upolicy) {
PyObject *lookup_settings = PyObject_GetAttrString(module, "policy_lookup_settings");
if (lookup_settings) {
PyObject *result2 = PyObject_CallFunction(lookup_settings, "(OssO)",
(PyObject *)policy->py_policy_manager,
appname, name_buf, upolicy);
if (result2) {
settings->maxFrameSize = qd_entity_opt_long((qd_entity_t*)upolicy, "maxFrameSize", 0);
settings->maxMessageSize = qd_entity_opt_long((qd_entity_t*)upolicy, "maxMessageSize", 0);
settings->maxSessionWindow = qd_entity_opt_long((qd_entity_t*)upolicy, "maxSessionWindow", 0);
settings->maxSessions = qd_entity_opt_long((qd_entity_t*)upolicy, "maxSessions", 0);
settings->maxSenders = qd_entity_opt_long((qd_entity_t*)upolicy, "maxSenders", 0);
settings->maxReceivers = qd_entity_opt_long((qd_entity_t*)upolicy, "maxReceivers", 0);
settings->allowAnonymousSender = qd_entity_opt_bool((qd_entity_t*)upolicy, "allowAnonymousSender", false);
settings->allowDynamicSrc = qd_entity_opt_bool((qd_entity_t*)upolicy, "allowDynamicSrc", false);
settings->sources = qd_entity_get_string((qd_entity_t*)upolicy, "sources");
settings->targets = qd_entity_get_string((qd_entity_t*)upolicy, "targets");
settings->denialCounts = (qd_policy_denial_counts_t*)
qd_entity_get_long((qd_entity_t*)upolicy, "denialCounts");
Py_XDECREF(result2);
res = true; // named settings content returned
} else {
qd_log(policy->log_source, QD_LOG_DEBUG, "Internal: lookup_user: result2");
}
Py_XDECREF(lookup_settings);
} else {
qd_log(policy->log_source, QD_LOG_DEBUG, "Internal: lookup_user: lookup_settings");
}
Py_XDECREF(upolicy);
} else {
qd_log(policy->log_source, QD_LOG_DEBUG, "Internal: lookup_user: upolicy");
}
}
Py_XDECREF(module);
qd_python_unlock(lock_state);
if (name_buf[0]) {
qd_log(policy->log_source,
QD_LOG_TRACE,
"ALLOW AMQP Open lookup_user: %s, hostip: %s, app: %s, connection: %s. Usergroup: '%s'%s",
username, hostip, appname, conn_name, name_buf, (res ? "" : " Internal error."));
} else {
// Denials are logged in python code
}
return res;
}
static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *config, qd_entity_t* entity)
{
qd_error_clear();
bool authenticatePeer = qd_entity_opt_bool(entity, "authenticatePeer", false); CHECK();
char *stripAnnotations = qd_entity_opt_string(entity, "stripAnnotations", 0); CHECK();
bool requireEncryption = qd_entity_opt_bool(entity, "requireEncryption", false); CHECK();
bool requireSsl = qd_entity_opt_bool(entity, "requireSsl", false); CHECK();
bool depRequirePeerAuth = qd_entity_opt_bool(entity, "requirePeerAuth", false); CHECK();
bool depAllowUnsecured = qd_entity_opt_bool(entity, "allowUnsecured", !requireSsl); CHECK();
memset(config, 0, sizeof(*config));
config->host = qd_entity_get_string(entity, "addr"); CHECK();
config->port = qd_entity_get_string(entity, "port"); CHECK();
config->name = qd_entity_opt_string(entity, "name", 0); CHECK();
config->role = qd_entity_get_string(entity, "role"); CHECK();
config->protocol_family = qd_entity_opt_string(entity, "protocolFamily", 0); CHECK();
config->max_frame_size = qd_entity_get_long(entity, "maxFrameSize"); CHECK();
config->idle_timeout_seconds = qd_entity_get_long(entity, "idleTimeoutSeconds"); CHECK();
config->sasl_username = qd_entity_opt_string(entity, "saslUsername", 0); CHECK();
config->sasl_password = qd_entity_opt_string(entity, "saslPassword", 0); CHECK();
config->sasl_mechanisms = qd_entity_opt_string(entity, "saslMechanisms", 0); CHECK();
config->ssl_enabled = has_attrs(entity, ssl_attributes, ssl_attributes_count);
config->link_capacity = qd_entity_opt_long(entity, "linkCapacity", 0); CHECK();
//
// Handle the defaults for link capacity.
//
if (config->link_capacity == 0) {
if (strcmp("inter-router", config->role) == 0)
config->link_capacity = 100000; // This is effectively infinite since session flow control will be more stringent.
else
config->link_capacity = 250;
}
//
// For now we are hardwiring this attribute to true. If there's an outcry from the
// user community, we can revisit this later.
//
config->allowInsecureAuthentication = true;
load_strip_annotations(config, stripAnnotations);
config->requireAuthentication = authenticatePeer || depRequirePeerAuth;
config->requireEncryption = requireEncryption || !depAllowUnsecured;
if (config->ssl_enabled) {
config->ssl_required = requireSsl || !depAllowUnsecured;
config->ssl_require_peer_authentication = config->sasl_mechanisms &&
strstr(config->sasl_mechanisms, "EXTERNAL") != 0;
config->ssl_certificate_file =
qd_entity_opt_string(entity, "certFile", 0); CHECK();
config->ssl_private_key_file =
qd_entity_opt_string(entity, "keyFile", 0); CHECK();
config->ssl_password =
qd_entity_opt_string(entity, "password", 0); CHECK();
config->ssl_trusted_certificate_db =
qd_entity_opt_string(entity, "certDb", 0); CHECK();
config->ssl_trusted_certificates =
qd_entity_opt_string(entity, "trustedCerts", 0); CHECK();
config->ssl_uid_format =
qd_entity_opt_string(entity, "uidFormat", 0); CHECK();
config->ssl_display_name_file =
qd_entity_opt_string(entity, "displayNameFile", 0); CHECK();
}
free(stripAnnotations);
return QD_ERROR_NONE;
error:
qd_server_config_free(config);
return qd_error_code();
}
static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *config, qd_entity_t* entity, bool is_listener)
{
qd_error_clear();
bool authenticatePeer = qd_entity_opt_bool(entity, "authenticatePeer", false); CHECK();
bool verifyHostName = qd_entity_opt_bool(entity, "verifyHostName", true); CHECK();
bool requireEncryption = qd_entity_opt_bool(entity, "requireEncryption", false); CHECK();
bool requireSsl = qd_entity_opt_bool(entity, "requireSsl", false); CHECK();
memset(config, 0, sizeof(*config));
config->log_message = qd_entity_opt_string(entity, "logMessage", 0); CHECK();
config->log_bits = populate_log_message(config);
config->port = qd_entity_get_string(entity, "port"); CHECK();
config->name = qd_entity_opt_string(entity, "name", 0); CHECK();
config->role = qd_entity_get_string(entity, "role"); CHECK();
config->inter_router_cost = qd_entity_opt_long(entity, "cost", 1); CHECK();
config->protocol_family = qd_entity_opt_string(entity, "protocolFamily", 0); CHECK();
config->http = qd_entity_opt_bool(entity, "http", false); CHECK();
config->http_root = qd_entity_opt_string(entity, "httpRoot", false); CHECK();
config->http = config->http || config->http_root; /* httpRoot implies http */
config->max_frame_size = qd_entity_get_long(entity, "maxFrameSize"); CHECK();
config->max_sessions = qd_entity_get_long(entity, "maxSessions"); CHECK();
uint64_t ssn_frames = qd_entity_opt_long(entity, "maxSessionFrames", 0); CHECK();
config->idle_timeout_seconds = qd_entity_get_long(entity, "idleTimeoutSeconds"); CHECK();
if (is_listener) {
config->initial_handshake_timeout_seconds = qd_entity_get_long(entity, "initialHandshakeTimeoutSeconds"); CHECK();
}
config->sasl_username = qd_entity_opt_string(entity, "saslUsername", 0); CHECK();
config->sasl_password = qd_entity_opt_string(entity, "saslPassword", 0); CHECK();
config->sasl_mechanisms = qd_entity_opt_string(entity, "saslMechanisms", 0); CHECK();
config->ssl_profile = qd_entity_opt_string(entity, "sslProfile", 0); CHECK();
config->sasl_plugin = qd_entity_opt_string(entity, "saslPlugin", 0); CHECK();
config->link_capacity = qd_entity_opt_long(entity, "linkCapacity", 0); CHECK();
config->multi_tenant = qd_entity_opt_bool(entity, "multiTenant", false); CHECK();
set_config_host(config, entity);
//
// Handle the defaults for various settings
//
if (config->link_capacity == 0)
config->link_capacity = 250;
if (config->max_sessions == 0 || config->max_sessions > 32768)
// Proton disallows > 32768
config->max_sessions = 32768;
if (config->max_frame_size < QD_AMQP_MIN_MAX_FRAME_SIZE)
// Silently promote the minimum max-frame-size
// Proton will do this but the number is needed for the
// incoming capacity calculation.
config->max_frame_size = QD_AMQP_MIN_MAX_FRAME_SIZE;
//
// Given session frame count and max frame size compute session incoming_capacity
//
if (ssn_frames == 0)
config->incoming_capacity = (sizeof(size_t) < 8) ? 0x7FFFFFFFLL : 0x7FFFFFFFLL * config->max_frame_size;
else {
uint64_t mfs = (uint64_t) config->max_frame_size;
uint64_t trial_ic = ssn_frames * mfs;
uint64_t limit = (sizeof(size_t) < 8) ? (1ll << 31) - 1 : 0;
if (limit == 0 || trial_ic < limit) {
// Silently promote incoming capacity of zero to one
config->incoming_capacity =
(trial_ic < QD_AMQP_MIN_MAX_FRAME_SIZE ? QD_AMQP_MIN_MAX_FRAME_SIZE : trial_ic);
} else {
config->incoming_capacity = limit;
uint64_t computed_ssn_frames = limit / mfs;
qd_log(qd->connection_manager->log_source, QD_LOG_WARNING,
"Server configuation for I/O adapter entity name:'%s', host:'%s', port:'%s', "
"requested maxSessionFrames truncated from %"PRId64" to %"PRId64,
config->name, config->host, config->port, ssn_frames, computed_ssn_frames);
}
}
//
// For now we are hardwiring this attribute to true. If there's an outcry from the
// user community, we can revisit this later.
//
config->allowInsecureAuthentication = true;
config->verify_host_name = verifyHostName;
char *stripAnnotations = qd_entity_opt_string(entity, "stripAnnotations", 0);
load_strip_annotations(config, stripAnnotations);
free(stripAnnotations);
stripAnnotations = 0;
CHECK();
config->requireAuthentication = authenticatePeer;
config->requireEncryption = requireEncryption || requireSsl;
if (config->ssl_profile) {
config->ssl_required = requireSsl;
config->ssl_require_peer_authentication = config->sasl_mechanisms &&
strstr(config->sasl_mechanisms, "EXTERNAL") != 0;
qd_config_ssl_profile_t *ssl_profile =
qd_find_ssl_profile(qd->connection_manager, config->ssl_profile);
if (ssl_profile) {
config->ssl_certificate_file = SSTRDUP(ssl_profile->ssl_certificate_file);
config->ssl_private_key_file = SSTRDUP(ssl_profile->ssl_private_key_file);
config->ciphers = SSTRDUP(ssl_profile->ciphers);
config->ssl_password = SSTRDUP(ssl_profile->ssl_password);
config->ssl_trusted_certificate_db = SSTRDUP(ssl_profile->ssl_trusted_certificate_db);
config->ssl_trusted_certificates = SSTRDUP(ssl_profile->ssl_trusted_certificates);
config->ssl_uid_format = SSTRDUP(ssl_profile->ssl_uid_format);
config->ssl_display_name_file = SSTRDUP(ssl_profile->ssl_display_name_file);
}
}
if (config->sasl_plugin) {
qd_config_sasl_plugin_t *sasl_plugin =
qd_find_sasl_plugin(qd->connection_manager, config->sasl_plugin);
if (sasl_plugin) {
config->auth_service = SSTRDUP(sasl_plugin->auth_service);
config->sasl_init_hostname = SSTRDUP(sasl_plugin->sasl_init_hostname);
qd_log(qd->connection_manager->log_source, QD_LOG_INFO, "Using auth service %s from SASL Plugin %s", config->auth_service, config->sasl_plugin);
if (sasl_plugin->auth_ssl_profile) {
qd_config_ssl_profile_t *auth_ssl_profile =
qd_find_ssl_profile(qd->connection_manager, sasl_plugin->auth_ssl_profile);
config->auth_ssl_conf = pn_ssl_domain(PN_SSL_MODE_CLIENT);
if (auth_ssl_profile->ssl_certificate_file) {
if (pn_ssl_domain_set_credentials(config->auth_ssl_conf,
auth_ssl_profile->ssl_certificate_file,
auth_ssl_profile->ssl_private_key_file,
auth_ssl_profile->ssl_password)) {
qd_error(QD_ERROR_RUNTIME, "Cannot set SSL credentials for authentication service"); CHECK();
}
}
if (auth_ssl_profile->ssl_trusted_certificate_db) {
if (pn_ssl_domain_set_trusted_ca_db(config->auth_ssl_conf, auth_ssl_profile->ssl_trusted_certificate_db)) {
qd_error(QD_ERROR_RUNTIME, "Cannot set trusted SSL certificate db for authentication service" ); CHECK();
} else {
if (pn_ssl_domain_set_peer_authentication(config->auth_ssl_conf, PN_SSL_VERIFY_PEER, auth_ssl_profile->ssl_trusted_certificate_db)) {
qd_error(QD_ERROR_RUNTIME, "Cannot set SSL peer verification for authentication service"); CHECK();
}
}
}
if (auth_ssl_profile->ciphers) {
if (pn_ssl_domain_set_ciphers(config->auth_ssl_conf, auth_ssl_profile->ciphers)) {
return qd_error(QD_ERROR_RUNTIME, "Cannot set ciphers. The ciphers string might be invalid. Use openssl ciphers -v <ciphers> to validate");
}
}
}
} else {
qd_error(QD_ERROR_RUNTIME, "Cannot find sasl plugin %s", config->sasl_plugin); CHECK();
}
}
return QD_ERROR_NONE;
error:
qd_server_config_free(config);
return qd_error_code();
}
static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *config, qd_entity_t* entity, qd_config_ssl_profile_t **ssl_profile)
{
qd_error_clear();
bool authenticatePeer = qd_entity_opt_bool(entity, "authenticatePeer", false); CHECK();
bool verifyHostName = qd_entity_opt_bool(entity, "verifyHostName", true); CHECK();
char *stripAnnotations = qd_entity_opt_string(entity, "stripAnnotations", 0); CHECK();
bool requireEncryption = qd_entity_opt_bool(entity, "requireEncryption", false); CHECK();
bool requireSsl = qd_entity_opt_bool(entity, "requireSsl", false); CHECK();
bool depRequirePeerAuth = qd_entity_opt_bool(entity, "requirePeerAuth", false); CHECK();
bool depAllowUnsecured = qd_entity_opt_bool(entity, "allowUnsecured", !requireSsl); CHECK();
memset(config, 0, sizeof(*config));
config->port = qd_entity_get_string(entity, "port"); CHECK();
config->name = qd_entity_opt_string(entity, "name", 0); CHECK();
config->role = qd_entity_get_string(entity, "role"); CHECK();
config->inter_router_cost = qd_entity_opt_long(entity, "cost", 1); CHECK();
config->protocol_family = qd_entity_opt_string(entity, "protocolFamily", 0); CHECK();
config->max_frame_size = qd_entity_get_long(entity, "maxFrameSize"); CHECK();
config->max_sessions = qd_entity_get_long(entity, "maxSessions"); CHECK();
uint64_t ssn_frames = qd_entity_get_long(entity, "maxSessionFrames"); CHECK();
config->idle_timeout_seconds = qd_entity_get_long(entity, "idleTimeoutSeconds"); CHECK();
config->sasl_username = qd_entity_opt_string(entity, "saslUsername", 0); CHECK();
config->sasl_password = qd_entity_opt_string(entity, "saslPassword", 0); CHECK();
config->sasl_mechanisms = qd_entity_opt_string(entity, "saslMechanisms", 0); CHECK();
config->ssl_profile = qd_entity_opt_string(entity, "sslProfile", 0); CHECK();
config->link_capacity = qd_entity_opt_long(entity, "linkCapacity", 0); CHECK();
set_config_host(config, entity);
//
// Handle the defaults for various settings
//
if (config->link_capacity == 0)
config->link_capacity = 250;
if (config->max_sessions == 0 || config->max_sessions > 32768)
// Proton disallows > 32768
config->max_sessions = 32768;
if (config->max_frame_size < QD_AMQP_MIN_MAX_FRAME_SIZE)
// Silently promote the minimum max-frame-size
// Proton will do this but the number is needed for the
// incoming capacity calculation.
config->max_frame_size = QD_AMQP_MIN_MAX_FRAME_SIZE;
//
// Given session frame count and max frame size compute session incoming_capacity
// Limit total capacity to 2^31-1.
//
uint64_t mfs = (uint64_t)config->max_frame_size;
uint64_t trial_ic = ssn_frames * mfs;
uint64_t limit = (1ll << 31) - 1;
if (trial_ic < limit) {
// Silently promote incoming capacity of zero to one
config->incoming_capacity =
(trial_ic < QD_AMQP_MIN_MAX_FRAME_SIZE ? QD_AMQP_MIN_MAX_FRAME_SIZE : trial_ic);
} else {
config->incoming_capacity = limit;
uint64_t computed_ssn_frames = limit / mfs;
qd_log(qd->connection_manager->log_source, QD_LOG_WARNING,
"Server configuation for I/O adapter entity name:'%s', host:'%s', port:'%s', "
"requested maxSessionFrames truncated from %llu to %llu",
config->name, config->host, config->port, ssn_frames, computed_ssn_frames);
}
//
// For now we are hardwiring this attribute to true. If there's an outcry from the
// user community, we can revisit this later.
//
config->allowInsecureAuthentication = true;
config->verify_host_name = verifyHostName;
load_strip_annotations(config, stripAnnotations);
config->requireAuthentication = authenticatePeer || depRequirePeerAuth;
config->requireEncryption = requireEncryption || !depAllowUnsecured;
if (config->ssl_profile) {
config->ssl_required = requireSsl || !depAllowUnsecured;
config->ssl_require_peer_authentication = config->sasl_mechanisms &&
strstr(config->sasl_mechanisms, "EXTERNAL") != 0;
*ssl_profile = qd_find_ssl_profile(qd->connection_manager, config->ssl_profile);
if (*ssl_profile) {
config->ssl_certificate_file = (*ssl_profile)->ssl_certificate_file;
config->ssl_private_key_file = (*ssl_profile)->ssl_private_key_file;
config->ssl_password = (*ssl_profile)->ssl_password;
config->ssl_trusted_certificate_db = (*ssl_profile)->ssl_trusted_certificate_db;
config->ssl_trusted_certificates = (*ssl_profile)->ssl_trusted_certificates;
config->ssl_uid_format = (*ssl_profile)->ssl_uid_format;
config->ssl_display_name_file = (*ssl_profile)->ssl_display_name_file;
}
sys_atomic_inc(&(*ssl_profile)->ref_count);
}
free(stripAnnotations);
return QD_ERROR_NONE;
error:
qd_server_config_free(config);
return qd_error_code();
}
/** Look up user/host/vhost in python vhost and give the AMQP Open
* a go-no_go decision. Return false if the mechanics of calling python
* fails. A policy lookup will deny the connection by returning a blank
* usergroup name in the name buffer.
* Connection and connection denial counting is done in the python code.
* @param[in] policy pointer to policy
* @param[in] username authenticated user name
* @param[in] hostip numeric host ip address
* @param[in] vhost application name received in remote AMQP Open.hostname
* @param[in] conn_name connection name for tracking
* @param[out] name_buf pointer to settings name buffer
* @param[in] name_buf_size size of settings_buf
**/
bool qd_policy_open_lookup_user(
qd_policy_t *policy,
const char *username,
const char *hostip,
const char *vhost,
const char *conn_name,
char *name_buf,
int name_buf_size,
uint64_t conn_id,
qd_policy_settings_t *settings)
{
// Lookup the user/host/vhost for allow/deny and to get settings name
bool res = false;
qd_python_lock_state_t lock_state = qd_python_lock();
PyObject *module = PyImport_ImportModule("qpid_dispatch_internal.policy.policy_manager");
if (module) {
PyObject *lookup_user = PyObject_GetAttrString(module, "policy_lookup_user");
if (lookup_user) {
PyObject *result = PyObject_CallFunction(lookup_user, "(OssssK)",
(PyObject *)policy->py_policy_manager,
username, hostip, vhost, conn_name, conn_id);
if (result) {
const char *res_string = PyString_AsString(result);
strncpy(name_buf, res_string, name_buf_size);
Py_XDECREF(result);
res = true; // settings name returned
} else {
qd_log(policy->log_source, QD_LOG_DEBUG, "Internal: lookup_user: result");
}
Py_XDECREF(lookup_user);
} else {
qd_log(policy->log_source, QD_LOG_DEBUG, "Internal: lookup_user: lookup_user");
}
}
if (!res) {
if (module) {
Py_XDECREF(module);
}
qd_python_unlock(lock_state);
return false;
}
//
if (name_buf[0]) {
// Go get the named settings
res = false;
PyObject *upolicy = PyDict_New();
if (upolicy) {
PyObject *lookup_settings = PyObject_GetAttrString(module, "policy_lookup_settings");
if (lookup_settings) {
PyObject *result2 = PyObject_CallFunction(lookup_settings, "(OssO)",
(PyObject *)policy->py_policy_manager,
vhost, name_buf, upolicy);
if (result2) {
settings->maxFrameSize = qd_entity_opt_long((qd_entity_t*)upolicy, "maxFrameSize", 0);
settings->maxMessageSize = qd_entity_opt_long((qd_entity_t*)upolicy, "maxMessageSize", 0);
settings->maxSessionWindow = qd_entity_opt_long((qd_entity_t*)upolicy, "maxSessionWindow", 0);
settings->maxSessions = qd_entity_opt_long((qd_entity_t*)upolicy, "maxSessions", 0);
settings->maxSenders = qd_entity_opt_long((qd_entity_t*)upolicy, "maxSenders", 0);
settings->maxReceivers = qd_entity_opt_long((qd_entity_t*)upolicy, "maxReceivers", 0);
settings->allowAnonymousSender = qd_entity_opt_bool((qd_entity_t*)upolicy, "allowAnonymousSender", false);
settings->allowDynamicSource = qd_entity_opt_bool((qd_entity_t*)upolicy, "allowDynamicSource", false);
settings->allowUserIdProxy = qd_entity_opt_bool((qd_entity_t*)upolicy, "allowUserIdProxy", false);
settings->sources = qd_entity_get_string((qd_entity_t*)upolicy, "sources");
settings->targets = qd_entity_get_string((qd_entity_t*)upolicy, "targets");
settings->denialCounts = (qd_policy_denial_counts_t*)
qd_entity_get_long((qd_entity_t*)upolicy, "denialCounts");
Py_XDECREF(result2);
res = true; // named settings content returned
} else {
qd_log(policy->log_source, QD_LOG_DEBUG, "Internal: lookup_user: result2");
}
Py_XDECREF(lookup_settings);
} else {
qd_log(policy->log_source, QD_LOG_DEBUG, "Internal: lookup_user: lookup_settings");
}
Py_XDECREF(upolicy);
} else {
qd_log(policy->log_source, QD_LOG_DEBUG, "Internal: lookup_user: upolicy");
}
}
Py_XDECREF(module);
qd_python_unlock(lock_state);
if (name_buf[0]) {
qd_log(policy->log_source,
QD_LOG_TRACE,
"ALLOW AMQP Open lookup_user: %s, rhost: %s, vhost: %s, connection: %s. Usergroup: '%s'%s",
username, hostip, vhost, conn_name, name_buf, (res ? "" : " Internal error."));
} else {
// Denials are logged in python code
}
return res;
}
