qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPID-7130) qpid C++ with SSL authentication returning dummy string from Connection::getAuthenticatedUsername()
Date Tue, 08 Mar 2016 21:28:41 GMT

    [ https://issues.apache.org/jira/browse/QPID-7130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15185848#comment-15185848
] 

ASF subversion and git services commented on QPID-7130:
-------------------------------------------------------

Commit 1734161 from [~gsim] in branch 'qpid/trunk'
[ https://svn.apache.org/r1734161 ]

QPID-7130: [PATCH 3/5] Added virtual keyword to functions ~BSDSocket, getKeyLen
 and getClientAuthId to BSDSocket class since it is used as SslSocket parent
 class.

Patch from Domen Vrankar <domen.vrankar@halcom.si>

> qpid C++ with SSL authentication returning dummy string from Connection::getAuthenticatedUsername()
> ---------------------------------------------------------------------------------------------------
>
>                 Key: QPID-7130
>                 URL: https://issues.apache.org/jira/browse/QPID-7130
>             Project: Qpid
>          Issue Type: Improvement
>    Affects Versions: qpid-cpp-0.34
>         Environment: Fedora 21 Linux
>            Reporter: Domen Vrankar
>            Assignee: Gordon Sim
>            Priority: Minor
>              Labels: features, patch
>             Fix For: qpid-cpp-next
>
>         Attachments: 0001-qpid-messaging-Connection-getAuthenticatedUsername.patch, 0002-Added-getLocalAuthId-to-all-socket-classes.patch,
0003-Added-virtual-keyword-to-functions-BSDSocket-getKeyL.patch, 0004-Added-getPeerAuthId-as-an-alias-for-getClientAuthId-.patch,
0005-Deleted-old-getClientAuthId-function-that-was-replac.patch
>
>
> When using Qpid C++ without SASL or with authentication disabled you can do:
> qpid_message.setUserId(qpid_connection_.getAuthenticatedUsername());
> and message can be received on remote location.
> Without SASL "ANONYMOUS" string is returned.
> With SASL but without authentication "anonymous" string is returned.
> In both cases message isn't rejected by broker.
> With SASL and SLL authentication "dummy" is returned. This string is rejected by broker
and also doesn't help with identifying who sent the message.
> First patch fixes this by reading local certificate authentication id the same way as
SslSocket::getClientAuthId does but for local instead of peer certificate.
> Second patch adds getLocalAuthId to all other classes derived from Socket (not certain
if this is necessary that's why it's in a separate patch).
> Third patch adds virtual keyword to BSDSocket getKeyLen, getClientAuthId and ~BSDSocket()
functions since this class is parent class of SslSocket. (Since with C++11 and later compilers
final and override keywords can be used to find such errors perhaps two macros should be defined
and used throughout the code e.g.:
> create file qpid_cpp.hpp
> #if __cplusplus <= 199711L
>   #define QPID_CPP_OVERRIDE
>   #define QPID_CPP_FINAL
> #else
>   #define QPID_CPP_OVERRIDE override
>   #define QPID_CPP_FINAL final
> #endif
> and then used somewhere:
> #include "qpid_cpp.hpp"
> struct A {
>     virtual void foo() QPID_CPP_FINAL; // A::foo is final
>     virtual void bar();
>     virtual void bas();
> };
>  
> struct B QPID_CPP_FINAL : A { // struct B is final
>     void foo(); // Error: foo cannot be overridden as it's final in A
>     void bar() QPID_CPP_OVERRIDE;
>     int bas() QPID_CPP_OVERRIDE; // Error: wrong bar signature used
>     void baf() QPID_CPP_OVERRIDE; // Error: function doesn't override anything 
> };
>  
> struct C : B { // Error: B is final
> };
> )
> Fourth patch adds getPeerAuthId as alias for getClientAuthId since current name is meaningful
only on broker side (on client side it returns broker authentication id).
> Fifth patch removes getClientAuthId altogether (split into a separate patch as I am not
certain if this function can be accessed from outside Qpid internal implementation and should
remain as is).
> How to test:
> Build qpid with SASL and SSL.
> Create ssl certificate store.
> Run qpid with:
> qpidd --ssl-cert-db ${CERT_DB_DIR} --ssl-cert-password-file /tmp/password.txt --ssl-cert-name
127.0.0.1 --ssl-require-client-authentication --acl-file ${ACL_DIR}/acl_file.acl --auth yes
> ACL file should contain:
> acl allow send@QPID all # sender cert
> acl allow receive@QPID all # receiver cert
> acl deny all all
> On sending client use:
> qpid_message.setUserId(qpid_connection_.getAuthenticatedUsername());
> On receiving client use:
> qpid_message.getUserId();
> Message should be delivered and Id's should be the same and matching sender certificate
nickname.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message