Google Git
Sign in
apache / qpid-dispatch / 9cdabfc1d1b794ae7081d89871b319d323b7a301 / . / python / qpid_dispatch_internal / policy / policy_local.py
blob: c401e94bd9d0d61093902ad222d691923f84a67c [file] [log] [blame]
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License
#
"""
"""
import json
import pdb
from policy_util import PolicyError, HostStruct, HostAddr, PolicyAppConnectionMgr
"""
Entity implementing the business logic of user connection/access policy.
"""
#
#
class PolicyKeys(object):
"""
String constants
"""
# Common key words
KW_IGNORED_NAME = "name"
KW_IGNORED_IDENTITY = "identity"
KW_IGNORED_TYPE = "type"
KW_VHOST_NAME = "id"
# Policy ruleset key words
KW_MAXCONN = "maxConnections"
KW_MAXCONNPERHOST = "maxConnectionsPerHost"
KW_MAXCONNPERUSER = "maxConnectionsPerUser"
KW_CONNECTION_ALLOW_DEFAULT = "allowUnknownUser"
KW_GROUPS = "groups"
# Policy settings key words
KW_USERS = "users"
KW_REMOTE_HOSTS = "remoteHosts"
KW_MAX_FRAME_SIZE = "maxFrameSize"
KW_MAX_MESSAGE_SIZE = "maxMessageSize"
KW_MAX_SESSION_WINDOW = "maxSessionWindow"
KW_MAX_SESSIONS = "maxSessions"
KW_MAX_SENDERS = "maxSenders"
KW_MAX_RECEIVERS = "maxReceivers"
KW_ALLOW_DYNAMIC_SRC = "allowDynamicSource"
KW_ALLOW_ANONYMOUS_SENDER = "allowAnonymousSender"
KW_SOURCES = "sources"
KW_TARGETS = "targets"
# Policy stats key words
KW_CONNECTIONS_APPROVED = "connectionsApproved"
KW_CONNECTIONS_DENIED = "connectionsDenied"
KW_CONNECTIONS_CURRENT = "connectionsCurrent"
KW_PER_USER_STATE = "perUserState"
KW_PER_HOST_STATE = "perHostState"
# What settings does a user get when allowed to connect but
# not restricted by a user group?
KW_DEFAULT_SETTINGS = "$default"
# Config file separator character for two IP addresses in a range
KC_CONFIG_IP_SEP = "-"
# Config file separator character for names in a list
KC_CONFIG_LIST_SEP = ","
# user-to-group computed map in compiled ruleset
RULESET_U2G_MAP = "U2G"
# policy stats controlled by C code but referenced by settings
KW_CSTATS = "denialCounts"
#
#
class PolicyCompiler(object):
"""
Validate incoming configuration for legal schema.
- Warn about section options that go unused.
- Disallow negative max connection numbers.
- Check that connectionOrigins resolve to IP hosts.
- Enforce internal consistency,
"""
allowed_ruleset_options = [
PolicyKeys.KW_IGNORED_NAME,
PolicyKeys.KW_IGNORED_IDENTITY,
PolicyKeys.KW_IGNORED_TYPE,
PolicyKeys.KW_VHOST_NAME,
PolicyKeys.KW_MAXCONN,
PolicyKeys.KW_MAXCONNPERHOST,
PolicyKeys.KW_MAXCONNPERUSER,
PolicyKeys.KW_CONNECTION_ALLOW_DEFAULT,
PolicyKeys.KW_GROUPS
]
allowed_settings_options = [
PolicyKeys.KW_USERS,
PolicyKeys.KW_REMOTE_HOSTS,
PolicyKeys.KW_MAX_FRAME_SIZE,
PolicyKeys.KW_MAX_MESSAGE_SIZE,
PolicyKeys.KW_MAX_SESSION_WINDOW,
PolicyKeys.KW_MAX_SESSIONS,
PolicyKeys.KW_MAX_SENDERS,
PolicyKeys.KW_MAX_RECEIVERS,
PolicyKeys.KW_ALLOW_DYNAMIC_SRC,
PolicyKeys.KW_ALLOW_ANONYMOUS_SENDER,
PolicyKeys.KW_SOURCES,
PolicyKeys.KW_TARGETS
]
def __init__(self):
"""
Create a validator
"""
pass
def validateNumber(self, val, v_min, v_max, errors):
"""
Range check a numeric int policy value
@param[in] val policy value to check
@param[in] v_min minumum value
@param[in] v_max maximum value. zero disables check
@param[out] errors failure message
@return v_min <= val <= v_max
"""
try:
v_int = int(val)
except Exception, e:
errors.append("Value '%s' does not resolve to an integer." % val)
return False
if v_int < v_min:
errors.append("Value '%s' is below minimum '%s'." % (val, v_min))
return False
if v_max > 0 and v_int > v_max:
errors.append("Value '%s' is above maximum '%s'." % (val, v_max))
return False
return True
def compile_connection_group(self, vhostname, groupname, val, list_out, warnings, errors):
"""
Handle an ingressHostGroups submap.
Each origin value is verified. On a successful run the submap
is replaced parsed lists of HostAddr objects.
@param[in] vhostname vhost name
@param[in] groupname vhost/group name
@param[in] val origin list as text string
@param[out] list_out user inputs replaced with HostAddr objects
@param[out] warnings nonfatal irregularities observed
@param[out] errors descriptions of failure
@return - origins is usable. If True then warnings[] may contain useful
information about fields that are ignored. If False then
warnings[] may contain info and errors[0] will hold the
description of why the origin was rejected.
"""
key = PolicyKeys.KW_REMOTE_HOSTS
# convert val string to list of host specs
if type(val) is str:
# 'abc, def, mytarget'
val = [x.strip(' ') for x in val.split(PolicyKeys.KC_CONFIG_LIST_SEP)]
elif type(val) is list:
# ['abc', 'def', 'mytarget']
pass
elif type(val) is unicode:
# u'abc, def, mytarget'
val = [x.strip(' ') for x in str(val).split(PolicyKeys.KC_CONFIG_LIST_SEP)]
else:
errors.append(
"Policy vhost '%s' user group '%s' option '%s' has illegal value '%s'. Type must be 'str' or 'list' but is '%s;" %
(vhostname, groupname, key, val, type(val)))
return False
for coname in val:
try:
coha = HostAddr(coname, PolicyKeys.KC_CONFIG_IP_SEP)
list_out.append(coha)
except Exception, e:
errors.append("Policy vhost '%s' user group '%s' option '%s' connectionOption '%s' failed to translate: '%s'." %
(vhostname, groupname, key, coname, e))
return False
return True
def compile_app_settings(self, vhostname, usergroup, policy_in, policy_out, warnings, errors):
"""
Compile a schema from processed json format to local internal format.
@param[in] name vhost name
@param[in] policy_in user config settings
@param[out] policy_out validated Internal format
@param[out] warnings nonfatal irregularities observed
@param[out] errors descriptions of failure
@return - settings are usable. If True then warnings[] may contain useful
information about fields that are ignored. If False then
warnings[] may contain info and errors[0] will hold the
description of why the policy was rejected.
"""
# rulesets may not come through standard config so make nice defaults
policy_out[PolicyKeys.KW_USERS] = ''
policy_out[PolicyKeys.KW_REMOTE_HOSTS] = ''
policy_out[PolicyKeys.KW_MAX_FRAME_SIZE] = 2147483647
policy_out[PolicyKeys.KW_MAX_MESSAGE_SIZE] = 0
policy_out[PolicyKeys.KW_MAX_SESSION_WINDOW] = 2147483647
policy_out[PolicyKeys.KW_MAX_SESSIONS] = 65536
policy_out[PolicyKeys.KW_MAX_SENDERS] = 2147483647
policy_out[PolicyKeys.KW_MAX_RECEIVERS] = 2147483647
policy_out[PolicyKeys.KW_ALLOW_DYNAMIC_SRC] = False
policy_out[PolicyKeys.KW_ALLOW_ANONYMOUS_SENDER] = False
policy_out[PolicyKeys.KW_SOURCES] = ''
policy_out[PolicyKeys.KW_TARGETS] = ''
cerror = []
for key, val in policy_in.iteritems():
if key not in self.allowed_settings_options:
warnings.append("Policy vhost '%s' user group '%s' option '%s' is ignored." %
(vhostname, usergroup, key))
if key in [PolicyKeys.KW_MAX_FRAME_SIZE,
PolicyKeys.KW_MAX_MESSAGE_SIZE,
PolicyKeys.KW_MAX_RECEIVERS,
PolicyKeys.KW_MAX_SENDERS,
PolicyKeys.KW_MAX_SESSION_WINDOW,
PolicyKeys.KW_MAX_SESSIONS
]:
if not self.validateNumber(val, 0, 0, cerror):
errors.append("Policy vhost '%s' user group '%s' option '%s' has error '%s'." %
(vhostname, usergroup, key, cerror[0]))
return False
policy_out[key] = val
elif key == PolicyKeys.KW_REMOTE_HOSTS:
# Conection groups are lists of IP addresses that need to be
# converted into binary structures for comparisons.
val_out = []
if not self.compile_connection_group(vhostname, usergroup, val, val_out, warnings, errors):
return False
policy_out[key] = val_out
elif key in [PolicyKeys.KW_ALLOW_ANONYMOUS_SENDER,
PolicyKeys.KW_ALLOW_DYNAMIC_SRC
]:
if not type(val) is bool:
errors.append("Policy vhost '%s' user group '%s' option '%s' has illegal boolean value '%s'." %
(vhostname, usergroup, key, val))
return False
policy_out[key] = val
elif key in [PolicyKeys.KW_USERS,
PolicyKeys.KW_SOURCES,
PolicyKeys.KW_TARGETS
]:
# accept a string or list
if type(val) is str:
# 'abc, def, mytarget'
val = [x.strip(' ') for x in val.split(PolicyKeys.KC_CONFIG_LIST_SEP)]
elif type(val) is list:
# ['abc', 'def', 'mytarget']
pass
elif type(val) is unicode:
# u'abc, def, mytarget'
val = [x.strip(' ') for x in str(val).split(PolicyKeys.KC_CONFIG_LIST_SEP)]
else:
errors.append("Policy vhost '%s' user group '%s' option '%s' has illegal value '%s'. Type must be 'str' or 'list' but is '%s;" %
(vhostname, usergroup, key, val, type(val)))
# deduplicate address lists
val = list(set(val))
# output result is CSV string with no white space between values: 'abc,def,mytarget'
policy_out[key] = ','.join(val)
return True
def compile_access_ruleset(self, name, policy_in, policy_out, warnings, errors):
"""
Compile a schema from processed json format to local internal format.
@param[in] name vhost name
@param[in] policy_in raw policy to be validated
@param[out] policy_out validated Internal format
@param[out] warnings nonfatal irregularities observed
@param[out] errors descriptions of failure
@return - policy is usable. If True then warnings[] may contain useful
information about fields that are ignored. If False then
warnings[] may contain info and errors[0] will hold the
description of why the policy was rejected.
"""
cerror = []
# rulesets may not come through standard config so make nice defaults
policy_out[PolicyKeys.KW_MAXCONN] = 65535
policy_out[PolicyKeys.KW_MAXCONNPERHOST] = 65535
policy_out[PolicyKeys.KW_MAXCONNPERUSER] = 65535
policy_out[PolicyKeys.KW_CONNECTION_ALLOW_DEFAULT] = False
policy_out[PolicyKeys.KW_GROUPS] = {}
# validate the options
for key, val in policy_in.iteritems():
if key not in self.allowed_ruleset_options:
warnings.append("Policy vhost '%s' option '%s' is ignored." %
(name, key))
if key in [PolicyKeys.KW_MAXCONN,
PolicyKeys.KW_MAXCONNPERHOST,
PolicyKeys.KW_MAXCONNPERUSER
]:
if not self.validateNumber(val, 0, 65535, cerror):
msg = ("Policy vhost '%s' option '%s' has error '%s'." %
(name, key, cerror[0]))
errors.append(msg)
return False
policy_out[key] = val
elif key in [PolicyKeys.KW_CONNECTION_ALLOW_DEFAULT]:
if not type(val) is bool:
errors.append("Policy vhost '%s' option '%s' must be of type 'bool' but is '%s'" %
(name, key, type(val)))
return False
policy_out[key] = val
elif key in [PolicyKeys.KW_GROUPS]:
if not type(val) is dict:
errors.append("Policy vhost '%s' option '%s' must be of type 'dict' but is '%s'" %
(name, key, type(val)))
return False
for skey, sval in val.iteritems():
newsettings = {}
if not self.compile_app_settings(name, skey, sval, newsettings, warnings, errors):
return False
policy_out[key][skey] = {}
policy_out[key][skey].update(newsettings)
# Verify that each user is in only one group.
# Create user-to-group map for looking up user's group
policy_out[PolicyKeys.RULESET_U2G_MAP] = {}
if PolicyKeys.KW_GROUPS in policy_out:
for group, groupsettings in policy_out[PolicyKeys.KW_GROUPS].iteritems():
if PolicyKeys.KW_USERS in groupsettings:
users = [x.strip(' ') for x in groupsettings[PolicyKeys.KW_USERS].split(PolicyKeys.KC_CONFIG_LIST_SEP)]
for user in users:
if user in policy_out[PolicyKeys.RULESET_U2G_MAP]:
errors.append("Policy vhost '%s' user '%s' is in multiple user groups '%s' and '%s'" %
(name, user, policy_out[PolicyKeys.RULESET_U2G_MAP][user], group))
return False
else:
policy_out[PolicyKeys.RULESET_U2G_MAP][user] = group
else:
warnings.append("Policy vhost '%s' user group '%s' has no defined users. This policy has no effect" % (name, group))
# Default connections require a default settings
if policy_out[PolicyKeys.KW_CONNECTION_ALLOW_DEFAULT]:
if not PolicyKeys.KW_DEFAULT_SETTINGS in policy_out[PolicyKeys.KW_GROUPS]:
errors.append("Policy vhost '%s' allows connections by default but default settings are not defined" %
(name))
return False
return True
#
#
class AppStats(object):
"""
Maintain live state and statistics for an vhost.
"""
def __init__(self, id, manager, ruleset):
self.my_id = id
self._manager = manager
self.conn_mgr = PolicyAppConnectionMgr(
ruleset[PolicyKeys.KW_MAXCONN],
ruleset[PolicyKeys.KW_MAXCONNPERUSER],
ruleset[PolicyKeys.KW_MAXCONNPERHOST])
self._cstats = self._manager.get_agent().qd.qd_dispatch_policy_c_counts_alloc()
self._manager.get_agent().add_implementation(self, "vhostStats")
def update_ruleset(self, ruleset):
"""
The parent ruleset has changed.
Propagate settings into the connection manager.
@param ruleset: new ruleset
@return:
"""
self.conn_mgr.update(
ruleset[PolicyKeys.KW_MAXCONN],
ruleset[PolicyKeys.KW_MAXCONNPERHOST],
ruleset[PolicyKeys.KW_MAXCONNPERUSER])
def refresh_entity(self, attributes):
"""Refresh management attributes"""
entitymap = {}
entitymap[PolicyKeys.KW_VHOST_NAME] = self.my_id
entitymap[PolicyKeys.KW_CONNECTIONS_APPROVED] = self.conn_mgr.connections_approved
entitymap[PolicyKeys.KW_CONNECTIONS_DENIED] = self.conn_mgr.connections_denied
entitymap[PolicyKeys.KW_CONNECTIONS_CURRENT] = self.conn_mgr.connections_active
entitymap[PolicyKeys.KW_PER_USER_STATE] = self.conn_mgr.per_user_state
entitymap[PolicyKeys.KW_PER_HOST_STATE] = self.conn_mgr.per_host_state
self._manager.get_agent().qd.qd_dispatch_policy_c_counts_refresh(self._cstats, entitymap)
attributes.update(entitymap)
def can_connect(self, conn_id, user, host, diags):
return self.conn_mgr.can_connect(conn_id, user, host, diags)
def disconnect(self, conn_id, user, host):
self.conn_mgr.disconnect(conn_id, user, host)
def count_other_denial(self):
self.conn_mgr.count_other_denial()
def get_cstats(self):
return self._cstats
#
#
class ConnectionFacts:
def __init__(self, user, host, app, conn_name):
self.user = user
self.host = host
self.app = app
self.conn_name = conn_name
#
#
class PolicyLocal(object):
"""
The local policy database.
"""
def __init__(self, manager):
"""
Create instance
@params manager policy manager class
"""
# manager is a class
# It provides access the dispatch system functions
self._manager = manager
# rulesetdb is a map
# key : vhost name
# val : ruleset for this app
# created by configuration
# augmented by policy compiler
self.rulesetdb = {}
# settingsdb is a map
# key : <vhost name>
# val : a map
# key : <user group name>
# val : settings to use for user's connection
# created by configuration
self.settingsdb = {}
# statsdb is a map
# key : <vhost name>
# val : AppStats object
self.statsdb = {}
# _policy_compiler is a function
# validates incoming policy and readies it for internal use
self._policy_compiler = PolicyCompiler()
# _connections is a map
# key : numeric connection id
# val : ConnectionFacts
# Entries created as connection AMQP Opens arrive
# Entries destroyed as sockets closed
self._connections = {}
# _default_vhost is a string
# holds the name of the vhost to use when the
# open.hostname is not found in the rulesetdb
self._default_vhost = ""
#
# Service interfaces
#
def create_ruleset(self, attributes):
"""
Create named policy ruleset
@param[in] attributes: from config
"""
warnings = []
diag = []
candidate = {}
name = attributes[PolicyKeys.KW_VHOST_NAME]
result = self._policy_compiler.compile_access_ruleset(name, attributes, candidate, warnings, diag)
if not result:
raise PolicyError("Policy '%s' is invalid: %s" % (name, diag[0]))
if len(warnings) > 0:
for warning in warnings:
self._manager.log_warning(warning)
if name not in self.rulesetdb:
self.statsdb[name] = AppStats(name, self._manager, candidate)
self._manager.log_info("Created policy rules for vhost %s" % name)
else:
self.statsdb[name].update_ruleset(candidate)
self._manager.log_info("Updated policy rules for vhost %s" % name)
self.rulesetdb[name] = {}
self.rulesetdb[name].update(candidate)
def policy_read(self, name):
"""
Read policy for named vhost
@param[in] name vhost name
@return policy data in raw user format
"""
return self.rulesetdb[name]
def policy_update(self, name, policy):
"""
Update named policy
@param[in] name vhost name
@param[in] policy data in raw user input
"""
raise PolicyError("Policy updatd function not implemented")
def policy_delete(self, name):
"""
Delete named policy
@param[in] name vhost name
"""
if name not in self.rulesetdb:
raise PolicyError("Policy '%s' does not exist" % name)
del self.rulesetdb[name]
#
# db enumerator
#
def policy_db_get_names(self):
"""
Return a list of vhost names in this policy
"""
return self.rulesetdb.keys()
def set_default_vhost(self, name):
"""
Set the default vhost name.
@param name: the name of the default vhost
@return: none
"""
self._default_vhost = name
self._manager.log_info("Policy fallback defaultVhost is defined: '%s'" % name)
def default_vhost_enabled(self):
"""
The default vhost is enabled if the name is not blank and
the vhost is defined in rulesetdb.
@return:
"""
return not self._default_vhost == "" and self._default_vhost in self.rulesetdb
#
# Runtime query interface
#
def lookup_user(self, user, rhost, vhost_in, conn_name, conn_id):
"""
Lookup function called from C.
Determine if a user on host accessing vhost through AMQP Open is allowed
according to the policy access rules.
If allowed then return the policy vhost settings name. If stats.can_connect
returns true then it has registered and counted the connection.
@param[in] user connection authId
@param[in] rhost connection remote host numeric IP address as string
@param[in] vhost_in vhost user is accessing
@param[in] conn_name connection name used for tracking reports
@param[in] conn_id internal connection id
@return settings user-group name if allowed; "" if not allowed
"""
try:
# choose rule set based on incoming vhost or default vhost
vhost = vhost_in
if vhost_in not in self.rulesetdb:
if self.default_vhost_enabled():
vhost = self._default_vhost
else:
self._manager.log_info(
"DENY AMQP Open for user '%s', rhost '%s', vhost '%s': "
"No policy defined for vhost" % (user, rhost, vhost))
return ""
ruleset = self.rulesetdb[vhost]
# look up the stats
if vhost not in self.statsdb:
msg = (
"DENY AMQP Open for user '%s', rhost '%s', vhost '%s': "
"INTERNAL: Policy is defined but stats are missing" % (user, rhost, vhost))
raise PolicyError(msg)
stats = self.statsdb[vhost]
# Get settings for user in a user group or in default
if user in ruleset[PolicyKeys.RULESET_U2G_MAP]:
usergroup = ruleset[PolicyKeys.RULESET_U2G_MAP][user]
elif "*" in ruleset[PolicyKeys.RULESET_U2G_MAP]:
usergroup = ruleset[PolicyKeys.RULESET_U2G_MAP]["*"]
else:
if ruleset[PolicyKeys.KW_CONNECTION_ALLOW_DEFAULT]:
usergroup = PolicyKeys.KW_DEFAULT_SETTINGS
else:
self._manager.log_info(
"DENY AMQP Open for user '%s', rhost '%s', vhost '%s': "
"User is not in a user group and unknown users are denied" % (user, rhost, vhost))
stats.count_other_denial()
return ""
groupsettings = ruleset[PolicyKeys.KW_GROUPS][usergroup]
# User in usergroup allowed to connect from rhost?
allowed = False
if PolicyKeys.KW_REMOTE_HOSTS in groupsettings:
# Users are restricted to connecting from a rhost
# defined by the group's remoteHost list
cglist = groupsettings[PolicyKeys.KW_REMOTE_HOSTS]
uhs = HostStruct(rhost)
for cohost in cglist:
if cohost.match_bin(uhs):
allowed = True
break
if not allowed:
self._manager.log_info(
"DENY AMQP Open for user '%s', rhost '%s', vhost '%s': "
"User is not allowed to connect from this network host" % (user, rhost, vhost))
stats.count_other_denial()
return ""
# This user passes administrative approval.
# Now check live connection counts
diags = []
if not stats.can_connect(conn_name, user, rhost, diags):
for diag in diags:
self._manager.log_info(
"DENY AMQP Open for user '%s', rhost '%s', vhost '%s': "
"%s" % (user, rhost, vhost, diag))
return ""
# Record facts about this connection to use during teardown
facts = ConnectionFacts(user, rhost, vhost, conn_name)
self._connections[conn_id] = facts
# Return success
return usergroup
except Exception, e:
self._manager.log_info(
"DENY AMQP Open lookup_user failed for user '%s', rhost '%s', vhost '%s': "
"Internal error: %s" % (user, rhost, vhost, e))
# return failure
return ""
def lookup_settings(self, vhost_in, groupname, upolicy):
"""
Given a settings name, return the aggregated policy blob.
@param[in] vhost_in: vhost user is accessing
@param[in] groupname: user group name
@param[out] upolicy: dict holding policy values - the settings blob
TODO: make this a c struct
@return if lookup worked
# Note: the upolicy output is a non-nested dict with settings of interest
"""
try:
vhost = vhost_in
if vhost not in self.rulesetdb:
if self.default_vhost_enabled():
vhost = self._default_vhost
if vhost not in self.rulesetdb:
self._manager.log_info(
"lookup_settings fail for vhost '%s', user group '%s': "
"No policy defined for this vhost" % (vhost, groupname))
return False
ruleset = self.rulesetdb[vhost]
if groupname not in ruleset[PolicyKeys.KW_GROUPS]:
self._manager.log_trace(
"lookup_settings fail for vhost '%s', user group '%s': "
"This vhost has no settings for the user group" % (vhost, groupname))
return False
upolicy.update(ruleset[PolicyKeys.KW_GROUPS][groupname])
upolicy[PolicyKeys.KW_CSTATS] = self.statsdb[vhost].get_cstats()
return True
except Exception, e:
return False
def close_connection(self, conn_id):
"""
Close the connection.
@param conn_id:
@return:
"""
try:
if conn_id in self._connections:
facts = self._connections[conn_id]
stats = self.statsdb[facts.app]
stats.disconnect(facts.conn_name, facts.user, facts.host)
del self._connections[conn_id]
except Exception, e:
self._manager.log_trace(
"Policy internal error closing connection id %s. %s" % (conn_id, str(e)))
#
#
def test_load_config(self):
"""
Test function to load a policy.
@return:
"""
ruleset_str = '["vhost", {"id": "photoserver", "maxConnections": 50, "maxConnectionsPerUser": 5, "maxConnectionsPerHost": 20, "allowUnknownUser": true,'
ruleset_str += '"groups": {'
ruleset_str += '"anonymous": { "users": "anonymous", "remoteHosts": "*", "maxFrameSize": 111111, "maxMessageSize": 111111, "maxSessionWindow": 111111, "maxSessions": 1, "maxSenders": 11, "maxReceivers": 11, "allowDynamicSource": false, "allowAnonymousSender": false, "sources": "public", "targets": "" },'
ruleset_str += '"users": { "users": "u1, u2", "remoteHosts": "*", "maxFrameSize": 222222, "maxMessageSize": 222222, "maxSessionWindow": 222222, "maxSessions": 2, "maxSenders": 22, "maxReceivers": 22, "allowDynamicSource": false, "allowAnonymousSender": false, "sources": "public, private", "targets": "public" },'
ruleset_str += '"paidsubscribers": { "users": "p1, p2", "remoteHosts": "*", "maxFrameSize": 333333, "maxMessageSize": 333333, "maxSessionWindow": 333333, "maxSessions": 3, "maxSenders": 33, "maxReceivers": 33, "allowDynamicSource": true, "allowAnonymousSender": false, "sources": "public, private", "targets": "public, private" },'
ruleset_str += '"test": { "users": "zeke, ynot", "remoteHosts": "10.48.0.0-10.48.255.255, 192.168.100.0-192.168.100.255", "maxFrameSize": 444444, "maxMessageSize": 444444, "maxSessionWindow": 444444, "maxSessions": 4, "maxSenders": 44, "maxReceivers": 44, "allowDynamicSource": true, "allowAnonymousSender": true, "sources": "private", "targets": "private" },'
ruleset_str += '"admin": { "users": "alice, bob", "remoteHosts": "10.48.0.0-10.48.255.255, 192.168.100.0-192.168.100.255, 10.18.0.0-10.18.255.255, 127.0.0.1, ::1", "maxFrameSize": 555555, "maxMessageSize": 555555, "maxSessionWindow": 555555, "maxSessions": 5, "maxSenders": 55, "maxReceivers": 55, "allowDynamicSource": true, "allowAnonymousSender": true, "sources": "public, private, management", "targets": "public, private, management" },'
ruleset_str += '"superuser": { "users": "ellen", "remoteHosts": "72.135.2.9, 127.0.0.1, ::1", "maxFrameSize": 666666, "maxMessageSize": 666666, "maxSessionWindow": 666666, "maxSessions": 6, "maxSenders": 66, "maxReceivers": 66, "allowDynamicSource": false, "allowAnonymousSender": false, "sources": "public, private, management, root", "targets": "public, private, management, root" },'
ruleset_str += '"$default": { "users": "*", "remoteHosts": "*", "maxFrameSize": 222222, "maxMessageSize": 222222, "maxSessionWindow": 222222, "maxSessions": 2, "maxSenders": 22, "maxReceivers": 22, "allowDynamicSource": false, "allowAnonymousSender": false, "sources": "public, private", "targets": "public" }'
ruleset_str += '}}]'
ruleset = json.loads(ruleset_str)
self.create_ruleset(ruleset[1])