qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPID-7130) qpid C++ with SSL authentication returning dummy string from Connection::getAuthenticatedUsername()
Date Tue, 08 Mar 2016 21:28:41 GMT

    [ https://issues.apache.org/jira/browse/QPID-7130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15185849#comment-15185849
] 

ASF subversion and git services commented on QPID-7130:
-------------------------------------------------------

Commit 1734162 from [~gsim] in branch 'qpid/trunk'
[ https://svn.apache.org/r1734162 ]

QPID-7130: [PATCH 4/5] Added getPeerAuthId as an alias for getClientAuthId since
 the function returns client auth id on server side and server auth id on
 client side so the new name is more appropriate.

Patch from: Domen Vrankar <domen.vrankar@halcom.si>

> qpid C++ with SSL authentication returning dummy string from Connection::getAuthenticatedUsername()
> ---------------------------------------------------------------------------------------------------
>
>                 Key: QPID-7130
>                 URL: https://issues.apache.org/jira/browse/QPID-7130
>             Project: Qpid
>          Issue Type: Improvement
>    Affects Versions: qpid-cpp-0.34
>         Environment: Fedora 21 Linux
>            Reporter: Domen Vrankar
>            Assignee: Gordon Sim
>            Priority: Minor
>              Labels: features, patch
>             Fix For: qpid-cpp-next
>
>         Attachments: 0001-qpid-messaging-Connection-getAuthenticatedUsername.patch, 0002-Added-getLocalAuthId-to-all-socket-classes.patch,
0003-Added-virtual-keyword-to-functions-BSDSocket-getKeyL.patch, 0004-Added-getPeerAuthId-as-an-alias-for-getClientAuthId-.patch,
0005-Deleted-old-getClientAuthId-function-that-was-replac.patch
>
>
> When using Qpid C++ without SASL or with authentication disabled you can do:
> qpid_message.setUserId(qpid_connection_.getAuthenticatedUsername());
> and message can be received on remote location.
> Without SASL "ANONYMOUS" string is returned.
> With SASL but without authentication "anonymous" string is returned.
> In both cases message isn't rejected by broker.
> With SASL and SLL authentication "dummy" is returned. This string is rejected by broker
and also doesn't help with identifying who sent the message.
> First patch fixes this by reading local certificate authentication id the same way as
SslSocket::getClientAuthId does but for local instead of peer certificate.
> Second patch adds getLocalAuthId to all other classes derived from Socket (not certain
if this is necessary that's why it's in a separate patch).
> Third patch adds virtual keyword to BSDSocket getKeyLen, getClientAuthId and ~BSDSocket()
functions since this class is parent class of SslSocket. (Since with C++11 and later compilers
final and override keywords can be used to find such errors perhaps two macros should be defined
and used throughout the code e.g.:
> create file qpid_cpp.hpp
> #if __cplusplus <= 199711L
>   #define QPID_CPP_OVERRIDE
>   #define QPID_CPP_FINAL
> #else
>   #define QPID_CPP_OVERRIDE override
>   #define QPID_CPP_FINAL final
> #endif
> and then used somewhere:
> #include "qpid_cpp.hpp"
> struct A {
>     virtual void foo() QPID_CPP_FINAL; // A::foo is final
>     virtual void bar();
>     virtual void bas();
> };
>  
> struct B QPID_CPP_FINAL : A { // struct B is final
>     void foo(); // Error: foo cannot be overridden as it's final in A
>     void bar() QPID_CPP_OVERRIDE;
>     int bas() QPID_CPP_OVERRIDE; // Error: wrong bar signature used
>     void baf() QPID_CPP_OVERRIDE; // Error: function doesn't override anything 
> };
>  
> struct C : B { // Error: B is final
> };
> )
> Fourth patch adds getPeerAuthId as alias for getClientAuthId since current name is meaningful
only on broker side (on client side it returns broker authentication id).
> Fifth patch removes getClientAuthId altogether (split into a separate patch as I am not
certain if this function can be accessed from outside Qpid internal implementation and should
remain as is).
> How to test:
> Build qpid with SASL and SSL.
> Create ssl certificate store.
> Run qpid with:
> qpidd --ssl-cert-db ${CERT_DB_DIR} --ssl-cert-password-file /tmp/password.txt --ssl-cert-name
127.0.0.1 --ssl-require-client-authentication --acl-file ${ACL_DIR}/acl_file.acl --auth yes
> ACL file should contain:
> acl allow send@QPID all # sender cert
> acl allow receive@QPID all # receiver cert
> acl deny all all
> On sending client use:
> qpid_message.setUserId(qpid_connection_.getAuthenticatedUsername());
> On receiving client use:
> qpid_message.getUserId();
> Message should be delivered and Id's should be the same and matching sender certificate
nickname.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message